Banking Trojans Trickbot and IcedID Join Forces to Perform Lucrative Attacks

This is not the first time we are discussing Trickbot or IcedID, but it is the first time both of these banking Trojans are discussed in the same article. The news just came in about these threats joining forces to perform more lucrative and more widely-spread attacks. The cooperation between these infections was originally discovered by the Flashpoint team, who informed that the parties behind these infections are likely to be sharing both operation details and profits, which sounds like a pretty serious merger. Is it possible that both Trojans were operated by the same cyber criminals all along? The information that was gathered proves that that is not the case. Both infections are strong on their own, and so it is pretty daunting that they now work hand in hand.


What is Trickbot Banking Trojan?

The first time our research team reported Trickbot was back in 2016, but it reemerged again in the news earlier this year, when it was discovered that the infection was using Dropbox for stealthy distribution using spam emails. When the infection was reported first, it was found to target the users of Australian online bank websites, including,,,, and The threat can employ webinjects to manipulate the content available on targeted websites to trick the victim into disclosing private information, which, of course, might include passwords, passcodes, special answers, user names, and other data that might be used to log into online bank accounts. Besides using server-side injections, Trickbot can also redirect to a malicious server to introduce the user to a replica of the login page, which, ultimately, is used to record the same kind of information. Basically, this infection uses extremely complicated and clandestine techniques to trick users into disclosing sensitive data. It is also worth-mentioning that the predecessor of this Trojan is the infamous Dyre.

What is IcedID Banking Trojan?

The malicious IcedID came a little later; in the fall of 2017. This infection also attracted attention because of its ability to employ web injections to manipulate webpages, and it could also redirect to fake web pages. According to SCMagazine, the infection was primarily created to target “businesses’ endpoints” and “terminate servers” that connect them to a greater network. Just like Trickbot, this infection was designed to attack those using banks, as well as those shopping online or using online mobile services. IcedID was spread using an Emotet downloader, and, as it turns out, the attackers behind it were also responsible for Dridex, another well-known banking Trojan. This means that both threats we are discussing today have well-known predecessors. The infection has evolved since then, and malware researchers report that that it is now being distributed with the help of misleading spam emails, which is yet another similarity between the two banking Trojans. The new thing here is that IcedID was found to act as a downloader itself, and if it manages to get it, it silently installs Trickbot.

Who Controls These Banking Trojans and How Is It Done?

Both Trickbot and IcedID are primarily used to steal banking credentials, but they are both capable of much more. In fact, Flashpoint researchers suggest that attackers behind this malware can control modules that would enable them to expand the scope of the attack. For example, it is known that Trickbot has connection to crypto-currency mining. Of course, it does not do the work itself. Instead, using a man-in-the-middle attack, the infection has been reported to steal credentials of those purchasing crypto-currency. Basically, the Trojan does not mine, but rather steals crypto-currency. It was also found that these threats are controlled by a party who purchase infections (instead of building them themselves) and hire actors to perform specific tasks. It is believed that the parties involved are not even familiar with one another. It is also possible that people who originally built these banking Trojans are not even involved in the operations anymore. There is no rivalry between these threats. It is all just a well-oiled business that brings profit to everyone that does their part.

What’s Next and How Do You Protect Yourself against This Malware?

First and foremost, you need to ensure that your operating system is protected against Trojans and other kinds of malicious infections. If you take care of that at the right time, you can minimize the chances of malware getting in, and that is the most important thing. If a Trojan slithers in, it can perform in a malicious manner without alerting the victim, which means that you might remain oblivious to the whole thing, and that, of course, can create serious problems. If Trickbot and IcedID invade your operating system, they can steal your online banking credentials and use them to impersonate you online and steal your money. Since catching this malware in action is very difficult if you do not have experience and technical knowledge, using a legitimate malware scanner is something you should be diligent about. As long as you use a reliable and up-to-date scanner, and you inspect your system frequently, you should be able to catch malware in time. Note that a malware scanner is integrated in anti-malware software. Removing the Trojans manually is possible, but experience and skills are required.


Barth, B. 2017, November 14. New IcedID banking trojan already rivals worst of its malware peers. SCMagazine.
Kremez, V. 2018, May 30. Trickbot and IcedID Botnet Operators Collaborate to Increase Impact. Flashpoint.
O’Donnell. 2018, May 30. Botnet Operators Team Up To Leverage IcedID, Trickbot Trojans. ThreatPost.
Olenick, D. 2018, February 15. Cryptocurrency mining crimeblotter, TrickBot, Coinhoard and Apache CouchDB vulnerabilities. SCMagazine.