IcedID: New banking trojan discovered in the wild
Financial sector’s latest threat utilizes Emotet for webinjection and redirection attacks.
A new banking trojan comparable to the notorious Zeus malware is actively targeting banks, payment card providers, and eCommerce sites in the US, researchers have found.
According to a new report from IBM’s X-Force security team, the trojan – dubbed IcedID – utilizes the Emotet delivery method, where malicious code is triggered after a user opens a rigged file sent via email.
Once Emotet infects the endpoint, it becomes a silent resident and is operated to serve malware, such as a spamming module, a network worm module, and password and data stealers for email and browser activity.
“IcedID does not seem to have borrowed code from other trojans, but it implements comparable features that allow it to perform advanced browser manipulation tactics,” explains IBM security advisor, Limor Kessem.
“Although IcedID’s capabilities are already up to par with those of other banking trojans such as Zeus, Gozi and Dridex, our researchers believe it will see further updates in the coming weeks.”
According to the X-Force research, the new banking trojan emerged in the wild in September 2017, when its first test campaigns were launched. While the most prominent attack zone is the US, two major British banks were also found on the target list.
“Aside from the more common trojan features, IcedID can propagate over a network,” said Kessem. “It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan.
Kessem went on to note that the tactics utilized by IcedID include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot.
“IcedID is a newly identified threat in the financial cybercrime arena,” she said. “While it is still early to tell how it will fare, its current capabilities, distribution choices, and targets point to a [cybergang] that is no stranger to this domain.”