Malware News IcedID: Original new banking Trojan emerges

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,115
IcedID, a new banking Trojan that does not seem to have borrowed code from other similar threats, has entered the financial cybercrime arena.

It was first spotted in the wild in September 2017, and it currently targets banks, payment card providers, mobile services providers, payroll, webmail, and ecommerce sites in the US, Canada and the UK.

IcedID banking Trojan capabilities
IcedID has a modular architecture, and its current capabilities are likely just the beginning.

To intercept communication from the victim’s computer, IcedID sets up a local proxy and redirects all Internet traffic through it. This is how it captures relevant communications and sends it to its C&C server(s).

It is capable of stealing sensitive information and credentials through web-injection and redirection attacks. The former approach is mostly used for stealing banking credentials, while the latter for grabbing payment card info and webmail credentials.

“To orchestrate web injection attacks for each targeted bank site, IcedID’s operators have a dedicated, web-based remote panel accessible with a username and password combination,” IBM X-Force researchers found.

idecID-injection-portal.jpg

IcedID’s remote webinject panel login page

But while this points to the malware being a commercial offering, they are yet to witness it being offered for sale on dark web marketplaces.

“The redirection scheme IcedID uses is not a simple handover to another website with a different URL. Rather, it is designed to appear as seamless as possible to the victim, which includes displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate which is made possible by keeping a live connection with the actual bank’s site,” the researchers noted.

“IcedID’s redirection scheme is implemented through its configuration file. The malware listens for the target URL from the list, and once it encounters a trigger, it executes a designated web injection. The web injection is the element that then sends the victim to a fake bank site set up in advance to match the one they originally requested. The victim sees their usual login page, submit their credentials, and unknowingly send them to the attacker’s server. From that point on, the attacker controls the ‘session’ the victim goes through, which typically include social engineering to trick the victim into divulging transaction authorization elements.”

The malware can also move to and compromise other endpoints, so it can also target organizational endpoints, and not just home users. It uses the Lightweight Directory Access Protocol (LDAP) to discover where it could spread in a network.

Its communications with its C&C servers are encrypted (to keep them secret and to bypass IDS solutions), and it requires a reboot to complete full deployment (a move that is likely meant to evade sandboxes).

How is IcedID delivered to victims?
The malware is usually delivered to endpoints that have already been compromised by the Emotet downloader Trojan.

“Emotet itself comes via malspam, usually inside rigged productivity files that contain malicious macros. Once Emotet infects the endpoint, it becomes a silent resident, operated to service the requests of other cybercriminal groups,” the researchers say, and posit that “a threat actor or a small cyber gang has been operating Emotet as a distribution operation for banking Trojans and other malware codes this year.”

This taking advantage of Emotet for distribution makes the researchers believe that IcedID’s operators are not new to the cybercrime arena.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
New IcedID Banking Trojan Discovered

Interesting:
"The trojan's only weakness, for now, is its lack of advanced anti-VM and anti-sandbox detection measures. These protections are crude, and the most advanced of them all is an IcedID requirement to execute a PC reboot to complete the trojan's full deployment, possibly to evade sandboxes that do not emulate rebooting".


VirusTotal
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top