“IcedID”: New banking trojan horse detected

2017 has been a year characterised by several high profile cyber attacks through all sectors reaching many countries, some previously thought too low profile to be worth attacking. We have seen several ransomware attacks that have hit almost every country in the world.

In September, IBM’s X-Force team identified a new trojan (a malware program that misleads users as to its true intentions) and have dubbed this trojan “IcedID”. Currently, IcedID is targeting banks, financial institutions, payment providers, payroll, webmail and other e-commerce sites in the US – and to a lesser extent the UK and other countries. The reason for this is that the cyber actor or actors are using an existing trojan called “Emotet” to distribute and infect victims.

Emotet was a originally designed to infect computers and remain active in the background, listening for commands from a central computer and stealing data. While active, it also gets other modules like spam, browser and outlook activity monitoring, and a worm module. A worm, as the name suggests, actively seeks out other computers (whether on the Internet or local network) to infect and propagate its activities. Because it stays active within each computer that it infects and talks to a central command server, it effectively creates a BotNet (a network of remotely controlled, compromised computers), making it the ideal platform to launch other malware like IcedID, as well as spam mails and massively distributed attacks. These BotNets are managed by herders (much like masses of cattle), and are rented out to perform the above mentioned tasks. Emotet is sent out in a spam campaign designed to look like a message from a bank and victims are tricked into activating the infected file attached to the message.

Once IcedID is downloaded by newly installed Emotet trojan, it goes about embedding itself in the operating system so that it can survive a restart of the computer. It then redirects the victim’s Internet traffic through a proxy under the control of criminals. When the victim enters an address, or clicks on a link to a bank that is in an internal list, the trojan changes the web page and forces the browser to load a fake bank website set up in advance. This website mimics the original bank where the victim is prompted for credentials. Furthermore, the trojan keeps the bank’s legitimate link in the address bar and maintains a live connection to the bank so that the correct SSL (encryption) certificate always shows. Deep investigation of IcedID’s capabilities have shown that on top of redirecting victims to fake banking sites as well as manipulating the browser’s representation of the real banking website, it also has the capability to spread internally across a company network. Although this feature has not yet been activated, it is possible that it can be used in the future.

IcedID is modular and can generate unique identification numbers which are uploaded to a central computer. The combination of these features allows the possibility of uniquely identifying an infected computer, and writing highly customised attacks for it.

Once again, the human component of Cyber defence is vital. Training the “human firewall” is important for business and home operations. With the proliferation of free mail services like Hotmail, Gmail, and others, there are large concentrations of private users – a veritable bullseye for malware and trojan tainted messages. Training users to identify these irregularities has a double benefit for business. It teaches them not only to avoid opening suspect attachments in the workplace, but at home as well, thereby:

  • minimising workplace infections;
  • minimising home infections that can bleed over into the workplace;
  • and limiting forwarding infected emails to colleagues at work.

The Human firewall still remains one of the most under-developed firewalls in a company’s cybersecurity defence, and therefore an important market-focus for us at Applxbridge.

The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)