U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

IcedID, a new sophisticated banking Trojan doesn’t borrow code from other banking malware

Researchers at IBM have spotted a new banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Malware researchers at IBM X-Force have spotted a new strain of banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. IcedID does not borrow code from other banking malware, but it […]

IcedID

Researchers at IBM have spotted a new banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex.

Malware researchers at IBM X-Force have spotted a new strain of banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. IcedID does not borrow code from other banking malware, but it implements comparable features.

“Overall, this is similar to other banking Trojans, but that’s also where I see the problem,” says Limor Kessem, executive security advisor for IBM Security.

The banking Trojan was first observed in September in campaigns aimed at banks, payment card providers, mobile service providers, payroll, Webmail, and e-commerce sites in the United States and Canada.

The malware also targeted two major banks in the United Kingdom.

The experts highlighted the distribution technique adopted by IcedID that leverages on the Emotet Trojan. Emotet is delivered via spam emails, usually disguised in productivity files containing malicious macros, and remains stealth to be used by operators to distribute other payloads, such as IcedID.

IcedID implements the ability to propagate over a network, a circumstance that suggests authors developed it to target large businesses.

IcedID can propagate over a network. It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan. Its attack tactics include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot.” reads the analysis published by IBM.

The redirection scheme implemented by IcedID is designed to appear as seamless as possible to the victim. It includes displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate by keeping a live connection with the actual bank’s site.

The malware listens for the target URL and when it encounters a trigger, executes a Web injection. Victims are redirected to fake banking websites, used by crooks to trick victims into submitting their credentials.

IcedID

The attacker controls the victim’s session and uses social engineering to trick victims into sharing transaction authorization data.

The level of sophistication of the IcedID malware suggests the attackers belong to a well-structured group. The analysis of comments in IcedID code indicates the attackers are from Russian-speaking regions.

Experts believe the threat could evolve in the next future, for example by implementing advanced anti-virtual machine or anti-research techniques along with techniques to evade sandboxes.

Further technical details on the malware, including the Indicators of Compromise, are available in the blog post published by IBM.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – banking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]