IcedID Banking Trojan Targets US Financial Institutions
November 14, 2017
A new banking trojan called IcedID (Detected by Trend Micro as TSPY_EMOTET.SMD3, TSPY_EMOTET.SMD4 and TSPY_EMOTET.AUSJMY), spotted by researchers
last September, has been wreaking havoc among financial institutions across the US, UK and Canada, including banks, payment card providers, mobile services providers, as well as e-commerce sites. The banking trojan's impact is still unclear, but initial reports show that its impact is still limited as of the time of publication.
Initial analysis of the trojan reveals that its delivery method is done via the botnet infrastructure of another Trojan known as EMOTET. In this case, the botnet is being used as a malware delivery platform, similar to previous attacks where it dropped the trojan DRIDEX as payload. Once IcedID is in the infected system, it will then carry out its attacks through both redirection and web injection. The malware also contains a network propagation module that gives it the ability to move, not only to other endpoints, but possibly to terminal servers as well.
The initial stage of IcedID's attack begins when it downloads a configuration file containing the trojan's targets from its C&C server, which is triggered when the user opens a web browser. In particular, it uses web injection for attacks involving online banking portals and redirection techniques for payment card and webmail sites.
For its redirection routine, IcedID sets up a local proxy running on port 49157 that intercepts and funnels web traffic, which is then exfiltrated to the C&C server. The redirection scheme attempts to look as legitimate as possible by displaying the bank’s legitimate URL in the address bar as well as its correct SSL certificate—all done via a live connection with the actual bank’s site. Users are then prompted to submit their credentials on the fake page, which are sent to the attacker’s server. Social engineering tactics are then used to trick the victim into giving up even more confidential information, including authorization details that can be used to compromise user accounts.
IcedID shares some similarities with other banking trojans such as Zeus and Gozi (detected by Trend Micro as ZBOT Family), as well as DRIDEX—with common features such as the use of web injection and redirection techniques in its routine. Despite the similarities, analysis of IceID shows that it does not seem to borrow code from other banking trojans, which means that it is not based on existing trojans, but is a new malware on its own right. It is also likely that IceID will see further evolution of its features as its authors develop it.
One flaw of the IcedID trojan is that it apparently lacks anti-virtual machine (VM) and anti-research techniques, which means that it can be stopped by multilayered security solutions. Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.
Organizations that need a comprehensive security solution can look into Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.