IcedID Trojan Targeting Banks
What Is It?
Recently IBM X-Force released the results of its research into a new banking trojan it has dubbed IcedID, first seen in the wild in September 2017.
The current versions of IcedID are able to target banks, payment card and mobile service providers, payroll portals, as well as webmail and e-commerce sites.
In order to steal financial data and user credentials it is also capable of performing both redirection attacks – where it creates a local proxy in order to silently redirect users to fake, cloned versions of their legitimate financial provider’s websites – and web injection attacks – where it adds extra fields into legitimate web pages in order to obtain additional user data. Previously, only the Dridex banking trojan utilized both techniques, generally one or the other is used.
The research found that the IcedID trojan does not appear to reuse code from other banking trojans, indicating the attackers are potentially a new group.
How Does It Propagate?
The IcedID malware has been found to have been downloaded and installed on systems, as a secondary infection, by the Emotet trojan. This allows the attackers to only install IcedID on systems located in the US, Canada and the UK, as recovered configuration files show financial institutions in these countries are currently being targeted.
This malware also has the ability to propagate via the internal network and researchers also observed it infecting a terminal server.
When/How Did BluVector Detect It?
BluVector’s patented machine learning engine detects the IcedID malware as malicious. Regression testing on four samples has shown the files would have been detected by BluVector between 36 and 46 months prior to their release.