Endpoint

11/13/2017
03:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New Banking Trojan Similar to Dridex, Zeus, Gozi

IBM researchers uncover a new form of banking malware distributed as a second-stage infection via the Emotet Trojan.

A newly discovered banking Trojan called IcedID looks a lot Gozi, Zeus, and Dridex - but without any code overlap.

IcedID, which was discovered by IBM X-Force researchers, has capabilities similar to those older financial-stealing malware. "Overall, this is similar to other banking Trojans, but that's also where I see the problem," says Limor Kessem, executive security advisor for IBM Security.

It's rare to see new banking Trojans not based off existing variants, Kessem explains. Indeed, this year has already seen the spread of Scylex, which also shares similarities with Zeus, as well as a Trojan called Silence, which mimics techniques from the Carbanak hacker group to steal from financial organizations.

IcedID - which first emerged in September of this year - targets banks, payment card providers, mobile service providers, payroll, Web mail, and ecommerce sites in the United States and Canada. Two major banks in the United Kingdom are also on the target list.

One sign of IcedID's sophistication is its distribution through the Emotet Trojan, which is designed to amass and maintain botnets. Emotet arrives on target machines via spam emails and is typically disguised in productivity files containing malicious macros. It infects the target endpoint and remains there as a silent tool for cybercriminal groups to distribute malware.

Now it's being used to serve up IcedID, which has a few tactics, tricks, and procedures (TTPs) that stand out from other common Trojan features.

IcedID can propagate over a network, which researchers say is a sign its creators intend to target large businesses. Nation-state attackers commonly use network propagation but banking Trojans rarely do, Kessem explains. The malware can move to other endpoints and infect terminal servers, an indication it targets employees' email to get onto business machines.

Similar to the GootKit Trojan, IcedID monitors victims' online activity by setting up a local proxy to listen and intercept communication from targeted endpoints. Attack tactics include both Web injection attacks and advanced redirection attacks, similar to the strategy employed by Dridex, researchers explain in a blog post.

The redirection scheme is designed to appear as seamless as possible. The legitimate bank's URL is displayed in the address bar and the bank's correct SSL certificate is visible. The malware listens for the target URL and when it encounters a trigger, executes a Web injection. Victims are redirected to fake banking websites and tricked into submitting their credentials, which are sent to the attacker's server.

From this point forward, the attacker controls the session and typically uses social engineering to fool victims into sharing transaction authorization data.

Who broke the ice?

"The company it keeps is already a telling sign that this is not an amateur group," Kessem says. "The sophistication of the code is modular, and it has different details reminiscent of other organized crime groups."

Emotet, originally a banking Trojan and precursor to Dridex, has been used among Eastern European cybercrime groups. Comments in IcedID's code indicate the actors are from Russian-speaking areas, so experts can deduce they are from a certain region.

While researchers believe this is the work of a new attacker, it's difficult to say with certainty. A few malware groups have disappeared from the scene, Kessem explains, and there aren't too many developers who know how to create this Trojan. It's possible the actors are related to another previously disbanded malware but because the code isn't copied, it's tough to tell.

Right now, IcedID deploys on endpoints running various versions of Windows. It does not have any advanced anti-virtual machine or anti-research techniques, aside from requiring a reboot to complete full deployment and possibly evade sandboxes, and communicating via SSL for extra security and to bypass intrusion detection systems.

Researchers believe IcedID's authors aren't done, however, and will add anti-forensic features into the malware over time.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.