A newly discovered banking trojan that’s been targeting U.S. financial institutions and services since at least September is already as advanced in its capabilities as its predecessors Zeus, Gozi, and Dridex, researchers from IBM have reported.
Dubbed IcedID, the modular trojan can manipulate browsers via web injections and redirection attacks, in order to trick victims into submitting their banking credentials on a malicious web page. And it can set up a local proxy for traffic tunneling, in order to intercept and monitor an infected machine’s online activity and exfiltrate any relevant communications to its command-and-control server.
The trojan is also capable of self-propagating over a network, and appears to be intentionally designed to target businesses’ endpoints as well as the terminal servers that connect these endpoints to the greater network. Moreover, IcedID queries the lightweight directory access protocol (LDAP) so it can find even more users on the network to infect.
According to a blog post from IBM’s X-Force research unit, IcedID has been targeting banks; payment card providers; mobile services providers; and payroll, webmail and e-commerce sites in the U.S., as well as at least two major banks in the U.K.
The trojan is distributed via Emotet, another banking trojan that has recently evolved into more of an advanced dropper. IBM currently associates Emotet with an Eastern European cybergangs that have using the trojan to distribute banking malware programs such as QakBot and Dridex.
“The current-day Emotet is being used by someone… that chose a different vocation for it. Modular trojans are like Swiss army knives with different plugins and modules, and the present operator is specialized in high-value infection,” said blog post author and IBM Security global executive security advisor Limor Kessem, in an email interview.
“Is it only a dropper? No… As part of an overall infection service, Emotet’s operators leverage its modularity to set up new targets inside the networks it reaches,” Kessem continued. “It propagates through networks and steals some passwords in the process (mainly for email, web browsing), uses a spamming module, and makes sure to persist on the machine in order to continually provide a backdoor for its operators.”
Victims are infected with the Emotet dropped after receiving malspam files and opening document files rigged with malicious macros. “This threat is another great example of threat actors praying on untrained and unsuspecting users — tricking them into enabling macros or running dangerous scripts because the user is so determined to see whatever content is provided by the attacker,” said Brian Robison, senior director of security technology at Cylance.
Kessem warns in her blog post that IcedID’s process for redirecting infected victims to a malicious website is a rather sophisticated one that is “designed to appear as seamless as possible to the victim.”
To convince victims that they are visiting a financial institution’s genuine website, IcedID displays that company’s actual URL in the address bar and its correct SSL certificate, which is possible “by keeping a live connection with the actual bank’s site,” Kessem explains.
“The victim is fooled into submitting his or her credentials on the fake page replica, which unknowingly sends him or her to the attacker’s server,” the blog post states. “From that point on, the attacker controls the session the victim goes through, which typically includes social engineering to trick the victim into divulging transaction authorization elements.”