Revamped IcedID Banking Trojan Campaign Uses COVID-19 LureResearchers Say Malware Steals Financial Data From Bank Customers
See Also: The Evolution of Email Security
Researchers at Juniper also found that the operators behind IcedID have added steganography techniques - the practice of hiding malicious code in image files, according to the report.
As with many other phishing campaigns that use the COVID-19 pandemic as a lure to click on malicious attachments, the IcedID campaign started in March and is ongoing, according to Juniper. Plus, some of the phishing messages in this campaign reference the Family and Medical Leave Act, which allows qualified employees to take unpaid leave, to trick victims into clicking attachments that contain malware, according to the report.
The fraudsters using the IcedID Trojan are targeting users' credentials and payment card data from major financial institutions and retailers, including Amazon.com, American Express, Bank of America, Capital One, Chase, Discover, eBay, E-Trade, J.P. Morgan, Charles Schwab and Wells Fargo, according to the report.
The updates made to IcedID for this campaign show how far-reaching this malware can be, the researchers say. "IcedID is a very complex malware, and there is no doubt the threat actors behind this are very much capable with constant updates to their arsenal," according to the report.
Revamped Banking Trojan
First observed in September 2017 by IBM X-Force researchers, IcedID steals financial data using malicious code injected into a web browser, according to the Juniper report.
In the campaign that Juniper observed, the malware is injected into msiexec.exe - also referred to as MSI - a legitimate installer file format used by Microsoft to deploy applications in Windows, according to the report.
"Msiexec.exe is normally used to install MSI applications," Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, tells Information Security Media Group. "This can trick analysis and detection systems, if you are not looking at msiexec.exe injection."
Once the malware is injected into msiexec process, it looks for specific browser names, such as Firefox.exe, Chrome.exe and IExplorer.exe. It then creates a local proxy, hooks certain APIs into these browsers and generates a self-signed certificate in the TEMP folder to anchor itself in the infected devices and persist, the report notes.
When the malware gains control of the browser, it injects financial forms into the browser to harvest payment card and other credentials, the researchers note.
IcedID is capable of extracting passwords stored in browsers and mail applications, collecting system information, uploading a file to the command-and-control server as well executing shellcode from the server, the report says.
This campaign starts with a phishing email that contains a malicious attachment - usually a Word file - that contains macros. If those are enabled, the malware is installed in stages, according to the report.
In the first stage, a malicious binary fetches a second-stage loader that tries to connect to several malicious domains controlled by the attackers.
Most of the domains appear normal except for one that contains a PNG file image that is tagged with the word "IDAT," according to the report. Once the loader finds that PNG image file, it will decrypt it using the RC4 algorithm and execute the other binary embedded in the image.
That binary then starts the third stage, which installs the IcedID Trojan within the infected devices and hides it as a PNG file to help maintain persistence, according to the report.
"The second stage will download the succeeding stages," Hahad says. "From here, the steganography comes into play. The second stage downloads the third stage as a PNG file. The third stage will download the IcedID main module as a PNG file."