Home > Cyber News > Brand New IcedID Banking Trojan Changing the Threat Landscape

Brand New IcedID Banking Trojan Changing the Threat Landscape

A new banking Trojan has been reported IBM X-Forse team – the IcedID Trojan. According to researchers, the piece emerged in the wild in September last year. This is when its first campaigns took place. The Trojan has sophisticated capabilities similar to the ones seen in Zeus.

Threat Summary

Name IcedID Trojan
Type Banking Trojan
Short Description Infects endpoints via the Emotet Trojan dropper.
Symptoms The payload is written to the %LocalAppData% folder.
Distribution Method Spam Emails
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User Experience Join Our Forum to Discuss IcedID Trojan.

IcedID has a modular malicious code and is currently targeting banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites in the United States. However, those are not the only targets as two other major U.K. banks have also been chosen by the Trojan.

The developers of the IcedID Trojan haven’t used code taken from known malware but instead implemented comparable features that enable it to run advanced browser manipulation tactics. What researchers expect for this Trojan is that it will surpass its predecessors suck as Zeus and Dridex. In other words, further updates to its code are expected in the forthcoming weeks.

IcedID Banking Trojan: Distribution Methods

It’s quite obvious that whoever is behind IcedID Trojan’s operations is not new to cybercrime. The initial infection method applied is via the Emotet Trojan.

Emotet is designed to steal a user’s online banking details. Although it is predominantly considered a trojan, Emotet also contains the necessary functionality features to be classified as a worm. The last time we saw active Emotet attacks was in August, 2017 when the malware gained access to systems by using the password dictionary method.

Related Story: Internal Networks Affected By Self-Propagating Emotet Trojan

Аs noted by researcher, Emotet is one of the most high-profile malware distribution methods used throughout 2017. It has been seen to serve cybercrime groups from Eastern Europe, and it has now added IcedID as its latest malicious payload.

Emotet itself first appeared in 2014 after the original source code of the Bugat Trojan was leaked. Emotet is persistent on the infected system, it also brings in more components like a spamming module, a network worm module, and password and data stealers for MS Outlook email and browser activity, researcher explain.

Emotet is also delivered via malicious spam and macros. After infection the Trojan can reside on a system silently to serve more malware.

IcedID Trojan Network Propagation Capabilities

The network propagation module found in IcedID speaks volumes about its authors’ intentions to target companies. The feature means that the Trojan is able to jump to other endpoints. Researchers also noticed that it successfully infected terminal servers meaning that attackers have already targeted employee emails to reach enterprise endpoints.

IcedID Trojan Payload Distribution

As already mentioned, the Trojan uses Emotet as a dropper for the initial infection. Once the system is rebooted, the payload will be written to the %LocalAppData% folder.

Then, the Trojan will set its persistence mechanism by creating a RunKey in the registry to ensure its presence after further system reboots.

Next, IcedID writes an RSA crypto key to the system into the AppData folder. The malware may write to this RSA key during the deployment routine, which could be linked to the fact that web traffic is tunneled through IcedID’s process even as it channels SSL traffic. X-Force is still investigating the exact use of the RSA key.

What is most peculiar is that IcedID’s process continues to run, which is not typical for any malware. This could mean that some parts of the code are still being fixed and that this issue will change in the next update, researchers point out.

This is also where the deployment process finishe, with the dropper continuing to run under the Explorer process until the next reboot of the infected endpoint. Upon reboot, the payload is executed and the IcedID Trojan becomes resident on the endpoint.

It also should be noted that the malware is capable of redirecting the victim’s internet traffic through a local proxy that it controls.

Related Story: Protect Organization Networks Against Ransomware Attacks

Other malicious capabilities the Trojan has:

– Tunneling the victim’s web traffic
– Triggering a redirection to a fake bank page
– Communications over encrypted SSL
– Using a web-based remote panel accessible with a username and password combination

IcedID Trojan Protection and Prevention

We advise checking for IcedID banking Trojan by using the instructions below and scanning the system with an advanced anti-malware software, which will also help you stay protected in the future as well with its real-time shield. Even though IcedID is currently targeting organizations, there are multiple examples of consumers being targeted by banking Trojans.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree