In September of 2017 X-Force researchers from IBM discovered a new banking Trojan called IcedID. IcedID primarily targets financial institutions such as banks, payment card providers, and e-commerce sites. IcedID utilizes Emotet for delivery to target hosts.
Emotet is most commonly linked to small cybercrime organizations in Eastern Europe targeting western countries
and is known as a successor of the Dridex malware that was designed to amass and maintain botnets. Emotet itself is most often delivered by opening a macro-enabled malicious file usually delivered by spam mail. Once executed, the malware embeds itself within normal machine processes, connects home, and installs additional modular components as directed. Of the components installed consists of spamming modules, network worm modules, and data stealers.
The main known tactics and techniques of IcedID consist of common network propagation, victim monitoring, and web URL tampering. More specifically the malware leverages a local web proxy which listens to web traffic and based on what it sees can unknowingly redirect or inject parameters to the victim which causes them to browse to malicious web content controlled by the attacker instead of the original content they wanted to see. Reverse engineering of the malware revealed a PropagationThroughNetwork function, which enumerated the network propagation module that allows the malware to affect local, or remote connected end points as a way of spreading to other systems. Additionally, IcedID can query LDAP looking for other users to attack and can look for other important information to send back to the command and control server.
As a way of hiding itself IcedID utilizes a full reboot after storing start up files to the Windows %LocalAppData% folder to evade sandboxes and other defenses on victim hosts. Additionally, the malware uses SSL to communicate home and launch its attacks to avoid intrusion detection systems planted within the victim infrastructure. The malware also uses a random value as the RunKey to establish persistence on the target host. As an example, the startup file would be “C:\Users\User\AppData\Local\ewonlia rl\ewonliarl.exe” and the Runkey would be at “HKCU\Software\Microsoft\Windows\C urrentVersion\Run\ewonliarl”. IcedID listens on local network port 49157 and exfiltrates victim information of its choosing to its command and control server. Interestingly enough IcedID can still be identified by its original process IcedID which continues to run even after reboot which researchers think will likely change in the future.
Thanks to Peraton and their Cyber Intelligence Program (CIP) for this information.