New IcedID Banking Trojan Goes After Business Organizations
IcedID Might Be the New Kid on the Block, but Early Analysis Shows That It Means Business
With so many banking trojans available for sale on the dark web, it's sometimes hard to imagine why anyone would want to go through the trouble of creating a brand new one. Every now and then, however, new banking malware comes up which shows that, as sophisticated as the current offerings are, there is still demand for leaner, meaner financial fraud tools. On Monday, researchers from IBM's X-Force wrote about the newest banking trojan – IcedID.
Likely a work in progress
The researchers first spotted it back in September when it was let loose on a trial run, but most of the samples they analyzed came from an October campaign. There's no information on how many people were affected, but the experts reckon that IcedID has yet to show its full potential. They noticed, for example, that there's not much in the way of anti-analysis techniques.
IcedID does require a reboot to complete the deployment which might hamper reverse engineering efforts on sandboxes that don't emulate rebooting. The C&C communication is done through HTTPS, but other than that, there's nothing else to deter the malware analysts. That being said, IBM's researchers noted that anti-analysis tools might be implemented in the not-too-distant future. Certainly, considering the fact that IcedID seems to be the work of experienced threat actors who know what they're doing, an update doesn't seem very unlikely.
Sophisticated code that is on par with some of the big names in the financial malware industry
IcedID isn't an offshoot of an existing banking trojan. IBM's researchers explained that some of the code is comparable to established names in the industry like Zeus, Dridex, and Gozi, but they also said nothing about potential links between the authors of all these trojans. One thing is certain – IcedID's creators mean business.
The infection starts with the good old macro-rigged Word document sent over email. The researchers didn't specify what the disguise of the malicious documents is, but they noted that they're most likely aimed at employees of business organizations. The macros don't load the IcedID trojan. Instead, they download Emotet.
Emotet helps with the distribution
Emotet has been around for about three years now, and despite its own ability to harvest passwords, in recent months, it's been primarily used as a dropper for a second stage payload. Right now, this second stage payload is IcedID.
After a reboot, Emotet downloads an IcedID sample and writes it to %LocalAppData%. Persistence is achieved by establishing a RunKey that launches the payload every time the infected host boots up. In addition to the actual executable, an RSA key is also written to the %LocalAppData% folder, though the researchers are still not sure what its purpose is. Next, a local proxy is established, and IcedID sets about infecting other machines on the network.
The network propagation capability is yet another reason to believe that the IcedID actors are targeting organizations rather than individual users. According to the researchers, the trojan can even infect terminal servers, which makes the spread over the whole network easier.
Finally, IcedID connects to one of its C&Cs and downloads the configuration file. Once that's done, the stage is set for the credential stealing operation.
Webinjects and redirects make for a nasty combination
IcedID springs to life as soon as the user opens an internet browser window, and it starts monitoring the victim's behavior. If the user tries to reach one of the banking websites, e-commerce platforms, and payment card and mobile service providers found in the configuration file, it triggers a sophisticated attack which uses a combination of a webinject and redirection.
The webinject keeps the connection to the legitimate website active, which means that nothing changes in the browser's address bar. The targeted organization's URL remains the same, and so does the green padlock which could fool the victim into thinking that everything's fine. Behind the scenes, however, the browser is quietly redirected to a replica page hosted on a server controlled by IcedID's operators. There, the victims are asked for their usernames and passwords, which is a pretty common practice in the banking trojans world. The experts noted, however, that the IcedID gang have implemented a few social engineering tricks that entice the users into sharing even more sensitive information, which, as you might expect, is sent to the threat actors. The data is stored on a server that has an admin panel powered by OpenResty – an open-source web platform. The use of OpenResty suggests that IcedID could soon be sold to other wannabe threat actors frequenting the dark web forums and marketplaces.
If this happens, what is undoubtedly a serious piece of financial fraud malware will be available to quite a few cybercriminals who, we imagine, will be more than happy to use it. That's not good news for the people who carelessly open Word documents received via email.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.