Brand New IcedID Banking Trojan Changing the Threat Landscape

Brand New IcedID Banking Trojan Changing the Threat Landscape

A new banking Trojan has been reported IBM X-Forse team – the IcedID Trojan. According to researchers, the piece emerged in the wild in September last year. This is when its first campaigns took place. The Trojan has sophisticated capabilities similar to the ones seen in Zeus.

Threat Summary

NameIcedID Trojan
TypeBanking Trojan
Short DescriptionInfects endpoints via the Emotet Trojan dropper.
SymptomsThe payload is written to the %LocalAppData% folder.
Distribution MethodSpam Emails
Detection Tool See If Your System Has Been Affected by IcedID Trojan

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss IcedID Trojan.

IcedID has a modular malicious code and is currently targeting banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites in the United States. However, those are not the only targets as two other major U.K. banks have also been chosen by the Trojan.

The developers of the IcedID Trojan haven’t used code taken from known malware but instead implemented comparable features that enable it to run advanced browser manipulation tactics. What researchers expect for this Trojan is that it will surpass its predecessors suck as Zeus and Dridex. In other words, further updates to its code are expected in the forthcoming weeks.


IcedID Banking Trojan: Distribution Methods

It’s quite obvious that whoever is behind IcedID Trojan’s operations is not new to cybercrime. The initial infection method applied is via the Emotet Trojan.

Emotet is designed to steal a user’s online banking details. Although it is predominantly considered a trojan, Emotet also contains the necessary functionality features to be classified as a worm. The last time we saw active Emotet attacks was in August, 2017 when the malware gained access to systems by using the password dictionary method.

Related Story: Internal Networks Affected By Self-Propagating Emotet Trojan

Аs noted by researcher, Emotet is one of the most high-profile malware distribution methods used throughout 2017. It has been seen to serve cybercrime groups from Eastern Europe, and it has now added IcedID as its latest malicious payload.

Emotet itself first appeared in 2014 after the original source code of the Bugat Trojan was leaked. Emotet is persistent on the infected system, it also brings in more components like a spamming module, a network worm module, and password and data stealers for MS Outlook email and browser activity, researcher explain.

Emotet is also delivered via malicious spam and macros. After infection the Trojan can reside on a system silently to serve more malware.


IcedID Trojan Network Propagation Capabilities

The network propagation module found in IcedID speaks volumes about its authors’ intentions to target companies. The feature means that the Trojan is able to jump to other endpoints. Researchers also noticed that it successfully infected terminal servers meaning that attackers have already targeted employee emails to reach enterprise endpoints.

IcedID Trojan Payload Distribution

As already mentioned, the Trojan uses Emotet as a dropper for the initial infection. Once the system is rebooted, the payload will be written to the %LocalAppData% folder.

Then, the Trojan will set its persistence mechanism by creating a RunKey in the registry to ensure its presence after further system reboots.

Next, IcedID writes an RSA crypto key to the system into the AppData folder. The malware may write to this RSA key during the deployment routine, which could be linked to the fact that web traffic is tunneled through IcedID’s process even as it channels SSL traffic. X-Force is still investigating the exact use of the RSA key.

What is most peculiar is that IcedID’s process continues to run, which is not typical for any malware. This could mean that some parts of the code are still being fixed and that this issue will change in the next update, researchers point out.

This is also where the deployment process finishe, with the dropper continuing to run under the Explorer process until the next reboot of the infected endpoint. Upon reboot, the payload is executed and the IcedID Trojan becomes resident on the endpoint.

It also should be noted that the malware is capable of redirecting the victim’s internet traffic through a local proxy that it controls.

Related Story: Protect Organization Networks Against Ransomware Attacks

Other malicious capabilities the Trojan has:

– Tunneling the victim’s web traffic
– Triggering a redirection to a fake bank page
– Communications over encrypted SSL
– Using a web-based remote panel accessible with a username and password combination

IcedID Trojan Protection and Prevention

We advise checking for IcedID banking Trojan by using the instructions below and scanning the system with an advanced anti-malware software, which will also help you stay protected in the future as well with its real-time shield. Even though IcedID is currently targeting organizations, there are multiple examples of consumers being targeted by banking Trojans.

Manually delete IcedID Trojan from your computer

Note! Substantial notification about the IcedID Trojan threat: Manual removal of IcedID Trojan requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove IcedID Trojan files and objects
2. Find malicious files created by IcedID Trojan on your PC

Automatically remove IcedID Trojan by downloading an advanced anti-malware program

1. Remove IcedID Trojan with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by IcedID Trojan in the future
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.