Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New IcedID Banking Trojan Emerges

A newly discovered banking Trojan called IcedID was built with a modular design and modern capabilities when compared to older financial threats, IBM X-Force warns.

A newly discovered banking Trojan called IcedID was built with a modular design and modern capabilities when compared to older financial threats, IBM X-Force warns.

The new threat was first observed in September 2017 as part of test campaigns, and is now actively targeting banks, payment card providers, mobile services providers, payroll accounts, webmail accounts and e-commerce sites in the United States, along with two major banks in the United Kingdom.

Although it does include features comparable with those of other banking Trojans out there and can perform advanced browser manipulation tactics, IcedID does not seem to borrow code from other Trojans, IBM says. However, because the threat includes capabilities already on par with those of Trojans such as Zeus, Gozi and Dridex, the researchers believe IcedID will receive further updates soon.

As part of the initial infection campaigns, the new banking Trojan has been dropped through the Emotet Trojan, which led X-Force research to believe that its operators aren’t new to the threat arena.

Emotet has been the distribution vehicle for many malware families this year, mainly focused on the U.S., but also targeting the U.K. and other parts of the world. In 2017, Emotet has been serving “elite cybercrime groups from Eastern Europe, such as those operating QakBot and Dridex,”and has now added IcedID to its payload list, IBM says.

First spotted in 2014 as a banking Trojan, Emotet is distributed via malicious spam emails, usually inside documents that feature malicious macros. Once on a machine, Emotet achieves persistence and ensnares the system into a botnet. It also fetches a spamming module, a network worm module, and password and data stealers.

IcedID itself includes network propagation capabilities, which suggests its authors might be targeting businesses with the new threat. IBM observed the malware infecting terminal servers, which usually provide endpoints, printers, and shared network devices with a common connection point to a local area network (LAN) or a wide area network (WAN).

The Trojan queries the lightweight directory access protocol (LDAP) to discover other users to infect, the researchers say. They also note that, on the compromised systems, the malware sets up a local proxy for traffic tunneling to monitor the victim’s online activity and leverages both web injections and redirections to perform its nefarious operations.

Advertisement. Scroll to continue reading.

IcedID downloads the configuration file (containing a list of targets) from its command and control (C&C) server when the user opens a web browser. It was also observed using secure sockets layer (SSL) for communication with the server.

The malware doesn’t appear to feature advanced anti-virtual machine (VM) or anti-research techniques, although it does require a reboot to complete the deployment, most likely to evade sandboxes that do not emulate rebooting.

For persistence, the malware creates a RunKey in the registry, after which it writes an RSA crypto key to the system into the AppData folder. The researchers have yet to determine the exact purpose of this key.

The redirection technique employed by IcedID is designed to appear as seamless as possible to the victim. Thus, the legitimate bank’s URL is displayed in the address bar, along with the bank’s correct SSL certificate, which means that the connection with the actual bank’s site is kept alive. The victim, however, is tricked into revealing their credentials on a fake web page. Through social engineering, the victim is also fooled into revealing transaction authorization elements.

During a single campaign in late October, the Trojan was observed communicating with four different C&C servers.

The malware’s operators also use a dedicated, web-based remote panel to orchestrate webinjection attacks for the targeted bank sites. The panel is accessible with a username and password combination. The server the panel communicates with is based on the OpenResty web platform.

“Webinjection panels are typically commercial offerings criminals buy in underground markets. It is possible that IcedID’s uses a commercial panel or that IcedID itself is commercial malware. However, at this time there is no indication that IcedID is being sold in the underground or Dark Web marketplaces,” IBM notes.

Related: Qakbot, Emotet Increasingly Targeting Business Users: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.