Over the past years, cybercrime has grown exponentially. Scammers use different tricks to dupe users, all of which have financial motivation. Recently, a new banking trojan dubbed IcedID, has been discovered to target banks, payment gateways, mobile service providers, and e-commerce sites in the United States, UK and Canada.
Banking Trojan is a malicious program that runs through online banking system to empty victim’s bank accounts. IcedID is a new entrant but can cause widespread destruction and chaos in cyberspace. According to researchers, it is still unclear whether IcedID is a commercial trojan or is available on the dark web.
Also Read: Fileless Malware on the Rise
What is IcedID?
It is a new pest in banking trojan that uses web injection and redirection tactics to collects user’s financial data. IcedID can spread across networks, infect terminal servers and can also keep an eye on victims’ online activities. To do so, a local proxy is setup for traffic tunneling using both web injection and redirection techniques. Its impact is still unclear but the initial reports show the influence is limited.
Emotet downloader is used to distribute and deliver the trojan, if in past your security has been compromised by the Emotet downloader you can be a victim of IcedID.
How is it delivered?
A well-known malware distribution tool Emotet is used to deliver the trojan. Originally it was used to collect and maintain botnets. Emotet stays on the machine and collects components like a spamming module, a network worm module, password and data bugs to spread the infection. Once a machine is infected, the Emotet resides in the device and operates to serve malware.
Botnets are used as malware delivery platform.
Also Read: The Evil Trinity: Vulnerabilities, Exploits, and Threats
How Does it Work?
During its initial stage IcedID downloads a configuration file that contains trojan targeting C&C server, which is triggered when the user opens the browser. Web injection is used to attack online banking portals and redirection is used for payment card and webmail sites.
A local proxy running on port 49157 is setup by IcedID for redirection and to intercept funnel web traffic, which is sent to the C&C server. At first the redirection looks legitimate as the banks URL is displayed in the address bar with correct SSL certificate. But it redirects the live connection with bank’s actual site. Once it is done victim is asked to enter the credentials on the fake page, which is shared with the scammer. To get more information, Social engineering tactics are used.
Does IcedID Resembles a Banking Trojan?
IcedID does share some similarities such as the use of web injection and redirection techniques with other banking trojans such as Zeus, Gozi and DRIDEX. It is just the common features that are shared, not the code. It is a new malware in its own right.
A flaw has been detected in IcedID trojan, which means that it can be stopped by multi layered security solutions.
Also Read: What’s More Secure: Windows or Mac?
Finally, we can say that banking trojan has been overshadowed by ransomware, but they are still a serious threat. They have started to spread their roots, which you may not be able to identify at first as they show actual URLs in the address bar and then redirect you to malicious sites. This poses a serious threat that puts our online banking at risk.
Leave a Reply