IcedID Banking Trojan Sample Technical Analysis and Solution Date of Release: November 17, 2017 Overview Recently, the IBM X-Force research team discovered a brand new banking Trojan dubbed IcedID. This Trojan was first found spreading in the wild in September 2017, mainly targeting systems used in the financial sector of US. According to X-Force research, this Trojan contains a malicious code module that provides most functions current banking Trojans such as the Zeus Trojan have. Currently, this Trojan targets mainly banks, payment card providers, mobile phone service providers, webmail, e-commerce websites, and the like in the US, as well as two major banks in the UK. Background On November 14, 2017, researchers discovered that a banking Trojan named IcedID spreading with the aid of the Emotet Trojan, mainly targeting banks and other financial institutions within the territory of US. Specifically, when an infected user accesses the website of a specific financial institution, this Trojan steals the user's bank account password and other sensitive information by redirecting him or her to a phishing web page.
19
Embed
IcedID Banking Trojan Sample Technical Analysis and Solutionblog.nsfocusglobal.com/wp-content/uploads/2017/12/IcedID-Banking... · According to X-Force researchers, IcedID spreads
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IcedID Banking Trojan Sample
Technical Analysis and Solution
Date of Release: November 17, 2017
Overview
Recently, the IBM X-Force research team discovered a brand new banking
Trojan dubbed IcedID. This Trojan was first found spreading in the wild in
September 2017, mainly targeting systems used in the financial sector of US.
According to X-Force research, this Trojan contains a malicious code module that
provides most functions current banking Trojans such as the Zeus Trojan have.
Currently, this Trojan targets mainly banks, payment card providers,
mobile phone service providers, webmail, e-commerce websites, and the like in
the US, as well as two major banks in the UK.
Background
On November 14, 2017, researchers discovered that a banking Trojan
named IcedID spreading with the aid of the Emotet Trojan, mainly targeting
banks and other financial institutions within the territory of US. Specifically,
when an infected user accesses the website of a specific financial institution,
this Trojan steals the user's bank account password and other sensitive
information by redirecting him or her to a phishing web page.
Propagation and Infection
According to X-Force researchers, IcedID spreads with the help of the
Emotet Trojan rather than vulnerabilities. In other words, Emotet downloads
IcedID as a new payload to a victim host for infection. Emotet spreads largely
through phishing emails. Once successfully infecting a host, Emotet will
download more malware after it is installed silently.
In addition to common Trojan functions, IcedID is also able to spread itself
across networks. It monitors the victim's online activities by setting up a local
proxy. Its attack means includes website injections and sophisticated
redirections similar to the scheme used by Dridex and TrickBot.
Attack Process
Machine Analysis
NSFOCUS Threat Analysis Center (TAC) detected this malware and
provided the following analysis results:
High-Level Analysis
Execution Process
Start to runInject malicious
code to a
process
Execute payloadCommunicate
with the C&C
server via HTTPS
Upload
information of
the new bot
Add a key to the
registry to launch
upon system
startup
Reproduce itself
in the temporary
directory
Set up a proxy
to listen on port
49157
Monitor traffic and
launch injection
and redirection
attacks
Create a .tmp file in
the /Temp directory
to record the website
certificate
Scan for email
messages and
other sensitive
data
Sample Information
MD5 Value Sample Size
38921f28bb********b6e70039ee65f3 365 KB
6899d3b514********635d78357c087e 228 KB
d982c6de62********89da5cfeb04d6f 365 KB
de4ef2e2********29891b45c1e3fbfd 427 KB
Technical Analysis
This sample, once run, reproduces itself under the following registry path:
C:\Users\{UserName}\AppData\Local\cantimeam
Also, it creates a Run key in the registry to make sure that it can be
launched upon system startup.
This sample sets up a proxy which listens on port 49157 to monitor all
traffic of the host. Once a user attempts to access the target website, this
sample redirects him or her to a malicious website and then steals sensitive
information from this victim. For example, when a user submits an access
request to a bank website, this sample will bring him or her to a forged website
and steal the victim’s account information.
After successfully infecting this host, the malware posts information of the
new bot to the server. As shown in the following bot information, the parameter
b indicates a unique bot ID which is generated based on information of the