IcedID makes another appearance by means of a pandemic scare. IcedID’s premise is to steal banking information from the client machine via a man-in-the-browser-attack. IcedID is normally dropped from other malware such as Emotet, which also has the purpose to steal banking info. Should they get access to either log into the bank account or access to the banking session, it will start automating fraudulent transactions.
IcedID has a history of bypassing antivirus programs by running persistently using process hallowing where it runs as another legitimate process but with malicious intent. After reading several articles related to IcedID with a COVID-19 theme, I found there were different variants of this malware. This variant normally gets installed by malspam tactics It reflects on how heavy cyber criminals are utilizing the scare tactics of COVID-19 to get their victim to do just as they want them to do.
In the analysis by Malware-Traffice-Analysis.net, we learn that this variant was being spread through a Word document via macros that reads “Document created in earlier version of Microsoft Office Word” then it directs the user to click Enable Editing and Enable Content (a big no no as this allows macros within the document to run).
After enabling those settings, an EXE file as well as a DLL are dropped on the computer and a task is configured in Task Scheduler to keep IceID exe persistent on startup. Meanwhile we’ll find that a PNG file is created which holds the encoded data related to the IcedID infection by use of stenography. The malware doesn't come to life until the system reboots and the user opens a browser. It is then it begins its injection of code into the application and redirecting web traffic using proxies that could redirect the victim to a replica banking website.
Shown above: DLL dropped after enabling macros, and the initial IcedID EXE that appeard immediated afterward.
Shown above: Location of the persistent IcedID executable.
Shown above: Traffic from the infection filtered in Wireshark.
After reading more about IcedID, I found it to be more and more complex in the methods it uses to manipulate retrieve and manipulate the data. What's even more troublesome is its ability to find ways to bypass antivirus applications. IcedID is still fairly new and there have been so many ways people have utilized to get victims to click the bait. This is another example why we should all continue to exercise to be the human firewall between us and our company.
-Shante Perrin
Sources
|
2020-05-27 - COVID19-THEMED WORD DOC PUSHES ICEDID (BOKBOT) |
|
|
Security Primer – IcedID |
https://www.cisecurity.org/wp-content/uploads/2019/09/Security-Primer-IcedID.pdf |
|
New Banking Trojan IcedID Discovered by IBM X-Force Research |
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/ |
|
IcedID Banker is Back, Adding Steganography, COVID-19 Theme |
https://threatpost.com/icedid-banker-adding-steganography-covid-19-theme/156718/ |
