In September of 2017 X-Force
researchers from IBM discovered a new banking Trojan called IcedID. IcedID primarily targets financial institutions such as banks,
payment card providers, and e-commerce sites. IcedID utilizes Emotet for
delivery to target hosts.
researchers from IBM discovered a new banking Trojan called IcedID. IcedID primarily targets financial institutions such as banks,
payment card providers, and e-commerce sites. IcedID utilizes Emotet for
delivery to target hosts.
Emotet is most commonly linked to
small cybercrime organizations in Eastern Europe targeting western countries
small cybercrime organizations in Eastern Europe targeting western countries
and is known as a successor of the Dridex
malware that was designed to amass and maintain botnets. Emotet itself is most
often delivered by opening a macro-enabled malicious file usually delivered by
spam mail. Once executed, the malware embeds itself within normal machine
processes, connects home, and installs additional modular components as
directed. Of the components installed consists of spamming modules, network
worm modules, and data stealers.
malware that was designed to amass and maintain botnets. Emotet itself is most
often delivered by opening a macro-enabled malicious file usually delivered by
spam mail. Once executed, the malware embeds itself within normal machine
processes, connects home, and installs additional modular components as
directed. Of the components installed consists of spamming modules, network
worm modules, and data stealers.
The main known tactics and
techniques of IcedID consist of common network propagation, victim monitoring,
and web URL tampering. More specifically the malware leverages a local web
proxy which listens to web traffic and based on what it sees can unknowingly
redirect or inject parameters to the victim which causes them to browse to
malicious web content controlled by the attacker instead of the original content
they wanted to see. Reverse engineering of the malware revealed a PropagationThroughNetwork
function, which enumerated the network propagation module that allows the
malware to affect local, or remote connected end points as a way of spreading
to other systems. Additionally, IcedID can query LDAP looking for other users
to attack and can look for other important information to send back to the
command and control server.
techniques of IcedID consist of common network propagation, victim monitoring,
and web URL tampering. More specifically the malware leverages a local web
proxy which listens to web traffic and based on what it sees can unknowingly
redirect or inject parameters to the victim which causes them to browse to
malicious web content controlled by the attacker instead of the original content
they wanted to see. Reverse engineering of the malware revealed a PropagationThroughNetwork
function, which enumerated the network propagation module that allows the
malware to affect local, or remote connected end points as a way of spreading
to other systems. Additionally, IcedID can query LDAP looking for other users
to attack and can look for other important information to send back to the
command and control server.
As a way of hiding itself IcedID utilizes
a full reboot after storing start up files to the Windows %LocalAppData% folder
to evade sandboxes and other defenses on victim hosts. Additionally, the
malware uses SSL to communicate home and launch its attacks to avoid intrusion
detection systems planted within the victim infrastructure. The malware also
uses a random value as the RunKey to establish persistence on the target host.
As an example, the startup file would be “C:UsersUserAppDataLocalewonlia rlewonliarl.exe”
and the Runkey would be at “HKCUSoftwareMicrosoftWindowsC urrentVersionRunewonliarl”.
IcedID listens on local network port 49157 and exfiltrates victim information
of its choosing to its command and control server. Interestingly enough IcedID can
still be identified by its original process IcedID which continues to run even
after reboot which researchers think will likely change in the future.
a full reboot after storing start up files to the Windows %LocalAppData% folder
to evade sandboxes and other defenses on victim hosts. Additionally, the
malware uses SSL to communicate home and launch its attacks to avoid intrusion
detection systems planted within the victim infrastructure. The malware also
uses a random value as the RunKey to establish persistence on the target host.
As an example, the startup file would be “C:UsersUserAppDataLocalewonlia rlewonliarl.exe”
and the Runkey would be at “HKCUSoftwareMicrosoftWindowsC urrentVersionRunewonliarl”.
IcedID listens on local network port 49157 and exfiltrates victim information
of its choosing to its command and control server. Interestingly enough IcedID can
still be identified by its original process IcedID which continues to run even
after reboot which researchers think will likely change in the future.
Sources:
Thanks to Peraton and their Cyber Intelligence Program (CIP) for this information.