IBM X-Force research follows developments in the financial cybercrime arena to map the events and trends that shape the threat landscape for organizations and consumers alike. After a year that has been very active in terms of banking malware, point-of-sale (POS) malware and rampant ransomware attacks, the X-Force team identified a new banking Trojan active in the wild dubbed IcedID.
According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan.
At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.
IcedID does not seem to have borrowed code from other Trojans, but it implements comparable features that allow it to perform advanced browser manipulation tactics. Although IcedID’s capabilities are already up to par with those of other banking Trojans such as Zeus, Gozi and Dridex, our researchers believe it will see further updates in the coming weeks.
X-Force’s analysis of IcedID’s delivery method suggests that its operators are not new to the cybercrime arena, opting to infect users via the Emotet Trojan. X-Force research believes that a threat actor or a small cybergang has been operating Emotet as a distribution operation for banking Trojans and other malware codes this year. Emotet’s most prominent attack zone is the U.S. To a lesser extent, it also targets users in the U.K. and other parts of the world.
Emotet has been one of the notable malware distribution methods in 2017, serving elite cybercrime groups from Eastern Europe, such as those operating QakBot and Dridex. It has now added IcedID as a new payload drop.
Emotet emerged in 2014 after a leak of the original source code of the Bugat Trojan. It was originally a banking Trojan that preceded Dridex. As such, it is designed to amass and maintain botnets. Emotet persists on the machine and then fetches additional components such as a spamming module, a network worm module, and password and data stealers for Microsoft Outlook email and browser activity.
Emotet itself comes via malspam, usually inside rigged productivity files that contain malicious macros. Once Emotet infects the endpoint, it becomes a silent resident and is operated to serve malware from other cybercriminal groups.
When it comes to tactics, techniques and procedures (TTPs), IcedID has a few tricks up its sleeve.
Aside from the more common Trojan features, IcedID can propagate over a network. It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan. Its attack tactics include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot.
IcedID is a newly identified threat in the financial cybercrime arena. While it is still early to tell how it will fare, its current capabilities, distribution choices and targets point to a group that is no stranger to this domain.
IBM X-Force research continues to follow and post updates on IcedID on X-Force Exchange. To learn more about mitigating financial threats such as IcedID, please visit IBM Security Trusteer products page.
Subscribe to our newsletter for all the latest updates and special offers.
Click Here To view archive additions