A new banking Trojan has been reported IBM X-Forse team – the IcedID Trojan. According to researchers, the piece emerged in the wild in September last year. This is when its first campaigns took place. The Trojan has sophisticated capabilities similar to the ones seen in Zeus.
|Short Description||Infects endpoints via the Emotet Trojan dropper.|
|Symptoms||The payload is written to the %LocalAppData% folder.|
|Distribution Method||Spam Emails|
|Detection Tool|| See If Your System Has Been Affected by IcedID Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss IcedID Trojan.|
IcedID has a modular malicious code and is currently targeting banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites in the United States. However, those are not the only targets as two other major U.K. banks have also been chosen by the Trojan.
The developers of the IcedID Trojan haven’t used code taken from known malware but instead implemented comparable features that enable it to run advanced browser manipulation tactics. What researchers expect for this Trojan is that it will surpass its predecessors suck as Zeus and Dridex. In other words, further updates to its code are expected in the forthcoming weeks.
IcedID Banking Trojan: Distribution Methods
It’s quite obvious that whoever is behind IcedID Trojan’s operations is not new to cybercrime. The initial infection method applied is via the Emotet Trojan.
Emotet is designed to steal a user’s online banking details. Although it is predominantly considered a trojan, Emotet also contains the necessary functionality features to be classified as a worm. The last time we saw active Emotet attacks was in August, 2017 when the malware gained access to systems by using the password dictionary method.
Аs noted by researcher, Emotet is one of the most high-profile malware distribution methods used throughout 2017. It has been seen to serve cybercrime groups from Eastern Europe, and it has now added IcedID as its latest malicious payload.
Emotet itself first appeared in 2014 after the original source code of the Bugat Trojan was leaked. Emotet is persistent on the infected system, it also brings in more components like a spamming module, a network worm module, and password and data stealers for MS Outlook email and browser activity, researcher explain.
Emotet is also delivered via malicious spam and macros. After infection the Trojan can reside on a system silently to serve more malware.
IcedID Trojan Network Propagation Capabilities
The network propagation module found in IcedID speaks volumes about its authors’ intentions to target companies. The feature means that the Trojan is able to jump to other endpoints. Researchers also noticed that it successfully infected terminal servers meaning that attackers have already targeted employee emails to reach enterprise endpoints.
IcedID Trojan Payload Distribution
As already mentioned, the Trojan uses Emotet as a dropper for the initial infection. Once the system is rebooted, the payload will be written to the %LocalAppData% folder.
Then, the Trojan will set its persistence mechanism by creating a RunKey in the registry to ensure its presence after further system reboots.
Next, IcedID writes an RSA crypto key to the system into the AppData folder. The malware may write to this RSA key during the deployment routine, which could be linked to the fact that web traffic is tunneled through IcedID’s process even as it channels SSL traffic. X-Force is still investigating the exact use of the RSA key.
What is most peculiar is that IcedID’s process continues to run, which is not typical for any malware. This could mean that some parts of the code are still being fixed and that this issue will change in the next update, researchers point out.
This is also where the deployment process finishe, with the dropper continuing to run under the Explorer process until the next reboot of the infected endpoint. Upon reboot, the payload is executed and the IcedID Trojan becomes resident on the endpoint.
It also should be noted that the malware is capable of redirecting the victim’s internet traffic through a local proxy that it controls.
Other malicious capabilities the Trojan has:
– Tunneling the victim’s web traffic
– Triggering a redirection to a fake bank page
– Communications over encrypted SSL
– Using a web-based remote panel accessible with a username and password combination
IcedID Trojan Protection and Prevention
We advise checking for IcedID banking Trojan by using the instructions below and scanning the system with an advanced anti-malware software, which will also help you stay protected in the future as well with its real-time shield. Even though IcedID is currently targeting organizations, there are multiple examples of consumers being targeted by banking Trojans.