A new banking Trojan called IcedID, detected by researchers last September, has wreaked havoc among financial institutions in the US, UK, and Canada, including banks, payment card providers, mobile service providers, and e-commerce sites. The impact of the banking Trojan is not yet clear, but initial reports show that its impact is still limited at the time of publication.
Initial analysis of the Trojan reveals that its delivery method is via the botnet infrastructure of another Trojan known as EMOTET. In this case, the botnet is being used as a malware delivery platform, similar to previous attacks where it dropped the DRIDEX Trojan as a payload. Once IcedID is on the infected system, it will carry out its attacks via redirection and web injection. The malware also contains a network propagation module that gives it the ability to move, not only to other endpoints, but possibly to terminal servers as well.
This threat has been circulating at an increasing rate, thanks to a series of email campaigns using Microsoft Excel spreadsheet attachments, according to Uptycs researchers Ashwin Vamshi and Abhijit Mohanta. In fact, in the first three months of the year, Uptyc telemetry flagged more than 15,000 HTTP requests for more than 4,000 malicious documents, most of which 93% were Microsoft Excel spreadsheets with the extensions .XLS or .XLSM malicious of course.
IcedID shares some similarities with other banking Trojans such as Zeus and Gozi with common characteristics such as the use of redirection and web injection techniques in their routine. Despite the similarities, IceID’s analysis shows that it does not appear to borrow code from other banking Trojans, meaning that it is not based on existing Trojans, but is new malware in its own right. It is also likely that IceID will see further evolution of its features as its authors develop it, so being informed is important because it is not known when new versions of it will be released.
The best we can do against this is to protect users and businesses from these threats by detecting malicious files and spam messages, as well as blocking all related malicious URLs.
See also:
Trickbot malware that steals banking credentials
Bizarro dangerous new banking Trojan
[…] topics:IcedID dangerous banking trojanTrickbot malware that steals banking credentialsBizarro dangerous new banking […]