November 14, 2017
Malware experts have spotted a new player on the banking trojan scene that they named IcedID and which is currently in its first stages of development.
In spite of being new, IcedID already possesses some advanced features that rival with what experts have seen in older and more complex banking trojans.
IcedID uses both redirection and web injection attacks
IcedID can carry out attacks that steal user financial data via both redirection attacks (installs local proxy to redirect users to clone sites) and web injection attacks (injects browser process to show fake content overlaid on top of the original page).
In the past, only Dridex — one of the most advanced banking trojans — was seen using both types of attacks, as cyber-criminal fraud groups usually pick one of the two and focus on perfecting their technique.
According to IBM's X-Force team, who discovered this new threat, the criminal group behind the trojan is using the botnet infrastructure of the Emotet trojan to deliver IcedID on already infected computers.
According to a source in the malware industry who spoke with your reporter this week, the Emotet banking trojan has shifted focus from stealing users' financial information to being a malware delivery platform in the past year.
It appears that IcedID is one of Emotet's newest customers, and the group is using Emotet's geotargeting capabilities to deliver the trojan to victims only in specific countries.
IcedID targeting North America
Based on IBM information and the types of configuration files found in IcedID samples, crooks have gone mostly after users in the US, Canada, and the UK.
A closer look at IcedID's configuration files reveals the trojan can go after banks, payment card providers, mobile services providers, payroll portals, webmail clients, and e-commerce sites.
More specifically, IcedID's redirection attacks target payment cards and webmail sites, while the web injection technique targets online banking portals.
While most of the banking portals targeted by the IcedID trojan were located in the US and Canada, it also targeted two banks in the UK.
IcedID features crude anti-VM features
Under the hood, the trojan's redirection feature works by funneling web traffic through a local proxy that runs on port 49157.
Other trojan features are support for encrypting communications with its C&C server and a registry key-based boot persistence system.
The trojan's only weakness, for now, is its lack of advanced anti-VM and anti-sandbox detection measures. These protections are crude, and the most advanced of them all is an IcedID requirement to execute a PC reboot to complete the trojan's full deployment, possibly to evade sandboxes that do not emulate rebooting.
Currently, it's unclear if IcedID is here to stay or just an experiment. We'll just have to see how the trojan evolves in the coming months and if its creators manage to get a foothold in the market.