IBM X-Force Discovers IcedID Banking Trojan

New banking Trojan discovered and is active in the wild hitting targets in the United States and the UK

Researchers at IBM X-Force have identified a new banking Trojan active in the wild, that is hitting targets in both the United States and UK.

The trojan, dubbed IcedID, first emerged in September this year when the researchers came across its first test campaigns.

And the researchers also discovered that IcedID has a modular malicious code, which apparently has “modern banking Trojan capabilities comparable to malware such as the Zeus Trojan.”


IcedID Trojan

IcedID is targetting banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites mostly in the United States.

But at least two major banks in the UK are also in its cross hairs.

IcedID is also unique, in that it has not “borrowed code from other Trojans, but it implements comparable features that allow it to perform advanced browser manipulation tactics.”

IBM says the malware’s capabilities are already up to par with those of other banking Trojans such as Zeus, Gozi and Dridex, but are warning that further updates to the malware are expected in the coming weeks.

The infection route is via the Emotet Trojan, which IBM says shows that its operators are not new to the cybercrime arena.

It said that a small cybergang has been operating Emotet as a distribution operation for banking Trojans and other malware codes this year, and that the US is its main ‘attack zone’, but it also targets users in the UK and other parts of the world to a lesser extent.

Security researcher Zscaler warned in August that Emotet had evolved and now a new variant was ‘back with a vengeance’ and had the UK in its sights. Indeed, it said that 76 percent of Emotet’s attacks had been aimed at the United Kingdom

But IcedID also has a few tricks up its sleeve, according to IBM X Force, as aside from the more common Trojan features, it can also propagate over a network.

Essentially the malware monitors the victim’s online activity by setting up a local proxy for traffic tunnelling, and it attacks using both webinjection attacks and sophisticated redirection attacks.

“IcedID’s operators probably plan on targeting businesses because they added a network propagation module to the malware from the get-go,” said IBM.

“IcedID possesses the ability to move to other endpoints, and X-Force researchers also observed it infecting terminal servers. Terminal servers typically provide terminals, such as endpoints, printers and shared network devices, with a common connection point to a local area network (LAN) or a wide area network (WAN), which suggests that IcedID has already been targeting employee email to land on organisational endpoints.”

And the malware creates a RunKey in the registry of the host’s Windows system that allows it to survive reboots.

And communication between host and the attacker’s command-and-control server is via SSL.

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ... Loading ...

Banking Trojans

Banking trojans are unfortunately fairly common nowadays. In April IBM security researchers  warned about a change in tactics by the operators of the TrickBot Trojan.

The researchers found that private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company were now in its cross-hairs.

Also this year security specialists Dr Web found a banking trojan based on the source code of the infamous Zeus malware.

Dubbed Trojan.PWS.Sphinx.2, that trojan’s main purpose was to inject malicious content into webpages, for example a fake form for inputting login and password details in order for cyber criminals to secretly harvest useful credentials for people browsing the web.

Quiz: Are you a security pro?