IcedID: Original new banking Trojan emerges

IcedID, a new banking Trojan that does not seem to have borrowed code from other similar threats, has entered the financial cybercrime arena.

It was first spotted in the wild in September 2017, and it currently targets banks, payment card providers, mobile services providers, payroll, webmail, and ecommerce sites in the US, Canada and the UK.

IcedID banking Trojan capabilities

IcedID has a modular architecture, and its current capabilities are likely just the beginning.

To intercept communication from the victim’s computer, IcedID sets up a local proxy and redirects all Internet traffic through it. This is how it captures relevant communications and sends it to its C&C server(s).

It is capable of stealing sensitive information and credentials through web-injection and redirection attacks. The former approach is mostly used for stealing banking credentials, while the latter for grabbing payment card info and webmail credentials.

“To orchestrate web injection attacks for each targeted bank site, IcedID’s operators have a dedicated, web-based remote panel accessible with a username and password combination,” IBM X-Force researchers found.


IcedID’s remote webinject panel login page

But while this points to the malware being a commercial offering, they are yet to witness it being offered for sale on dark web marketplaces.

“The redirection scheme IcedID uses is not a simple handover to another website with a different URL. Rather, it is designed to appear as seamless as possible to the victim, which includes displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate which is made possible by keeping a live connection with the actual bank’s site,” the researchers noted.

“IcedID’s redirection scheme is implemented through its configuration file. The malware listens for the target URL from the list, and once it encounters a trigger, it executes a designated web injection. The web injection is the element that then sends the victim to a fake bank site set up in advance to match the one they originally requested. The victim sees their usual login page, submit their credentials, and unknowingly send them to the attacker’s server. From that point on, the attacker controls the ‘session’ the victim goes through, which typically include social engineering to trick the victim into divulging transaction authorization elements.”

The malware can also move to and compromise other endpoints, so it can also target organizational endpoints, and not just home users. It uses the Lightweight Directory Access Protocol (LDAP) to discover where it could spread in a network.

Its communications with its C&C servers are encrypted (to keep them secret and to bypass IDS solutions), and it requires a reboot to complete full deployment (a move that is likely meant to evade sandboxes).

How is IcedID delivered to victims?

The malware is usually delivered to endpoints that have already been compromised by the Emotet Trojan.

“Emotet itself comes via malspam, usually inside rigged productivity files that contain malicious macros. Once Emotet infects the endpoint, it becomes a silent resident, operated to service the requests of other cybercriminal groups,” the researchers say, and posit that “a threat actor or a small cyber gang has been operating Emotet as a distribution operation for banking Trojans and other malware codes this year.”

This taking advantage of Emotet for distribution makes the researchers believe that IcedID’s operators are not new to the cybercrime arena.

Don't miss