New Banking Trojan IcedID Discovered by IBM X-Force Research
IBM X-Force research follows developments in the financial cybercrime arena to map the events and trends that shape the threat landscape for organizations and consumers alike. After a year that has been very active in terms of banking malware, point-of-sale (POS) malwareand rampant ransomware attacks, the X-Force team identified a new banking Trojan active in the wild dubbed IcedID
According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan.
At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.
IcedID does not seem to have borrowed code from other Trojans, but it implements comparable features that allow it to perform advanced browser manipulation tactics. Although IcedID’s capabilities are already up to par with those of other banking Trojans such as Zeus, Gozi and Dridex, our researchers believe it will see further updates in the coming weeks.
Served by Emotet
X-Force’s analysis of IcedID’s delivery method suggests that its operators are not new to the cybercrime arena, opting to infect users via the Emotet Trojan. X-Force research believes that a threat actor or a small cybergang has been operating Emotet as a distribution operation for banking Trojans and other malware codes this year. Emotet’s most prominent attack zone is the U.S. To a lesser extent, it also targets users in the U.K. and other parts of the world.
Emotet has been one of the notable malware distribution methods in 2017, serving elite cybercrime groups from Eastern Europe, such as those operating QakBot and Dridex. It has now added IcedID as a new payload drop.
Emotet emerged in 2014 after a leak of the original source code of the Bugat Trojan. It was originally a banking Trojan that preceded Dridex. As such, it is designed to amass and maintain botnets. Emotet persists on the machine and then fetches additional components such as a spamming module, a network worm module, and password and data stealers for Microsoft Outlook email and browser activity.
Emotet itself comes via malspam, usually inside rigged productivity files that contain malicious macros. Once Emotet infects the endpoint, it becomes a silent resident and is operated to serve malware from other cybercriminal groups.[..]
To read the original article: