IcedID Banker is Back, Adding Steganography, COVID-19 Theme


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A new version of the IcedID banking trojan has debuted that notably embraces steganography – the practice of hiding code within images – in order to stealthily infect victims. It has also changed up its process for eavesdropping on victims’ web activity.

Researchers at Juniper Threat Labs have uncovered an email spam campaign circulating in the United States spreading the malware. The messages use the COVID-19 pandemic and the Family and Medical Leave Act (FMLA) as their theme, including using related keywords in email sender names and attachment names.

The attachments are boobytrapped with malicious macros that, if opened, execute the IcedID banking trojan, which has been around since 2017. IcedID specializes in mounting man-in-the-browser attacks to intercept and steal financial information from victims. In the latest campaign, it harvests credentials and payment-card data from, American Express, AT&T, Bank of America, Capital One, Chase, Discover, eBay, E-Trade, J.P. Morgan, Charles Schwab, T-Mobile, USAA, Verizon Wireless, Wells Fargo and others.

This latest variant changes up its infection tactics by injecting into msiexec.exe to insert itself into browser traffic, and using full steganography for downloading its modules and configurations, researchers said.