IcedID, a new sophisticated banking Trojan doesn’t borrow code from other banking malware

“Overall, this is similar to other banking Trojans, but that’s also where I see the problem,” says Limor Kessem, executive security advisor for IBM Security.

The banking Trojan was first observed in September in campaigns aimed at banks, payment card providers, mobile service providers, payroll, Webmail, and e-commerce sites in the United States and Canada.

The malware also targeted two major banks in the United Kingdom.

The experts highlighted the distribution technique adopted by IcedID that leverages on the Emotet Trojan. Emotet is delivered via spam emails, usually disguised in productivity files containing malicious macros, and remains stealth to be used by operators to distribute other payloads, such as IcedID.

IcedID implements the ability to propagate over a network, a circumstance that suggests authors developed it to target large businesses.

“IcedID can propagate over a network. It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan. Its attack tactics include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot.” reads the analysis published by IBM.

The redirection scheme implemented by IcedID is designed to appear as seamless as possible to the victim. It includes displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate by keeping a live connection with the actual bank’s site.

The malware listens for the target URL and when it encounters a trigger, executes a Web injection. Victims are redirected to fake banking websites, used by crooks to trick victims into submitting their credentials.

The attacker controls the victim’s session and uses social engineering to trick victims into sharing transaction authorization data.

The level of sophistication of the IcedID malware suggests the attackers belong to a well-structured group. The analysis of comments in IcedID code indicates the attackers are from Russian-speaking regions.

Experts believe the threat could evolve in the next future, for example by implementing advanced anti-virtual machine or anti-research techniques along with techniques to evade sandboxes.

Further technical details on the malware, including the Indicators of Compromise, are available in the blog post published by IBM.

Pierluigi Paganini

(Security Affairs – banking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]