A new variant of the IcedID banking Trojan spreads using COVID-19 lures

Pierluigi Paganini June 22, 2020

Experts spotted a new version of the IcedID banking trojan that uses steganography to infect victims as part of COVID-19 themed attacks.

A new version of the IcedID banking trojan was employed in COVID-19 themed attacks, the new variant uses steganography to infect victims and implements anti-detection capabilities.

Researchers at Juniper Threat Labs have spotted COVID-19 themed spam campaign targeting users in the United States, the new version is also able to eavesdrop on victims’ web activity.

The messages use weaponized attachments that once opened will load the IcedID banking trojan.

IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like GoziZeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but it implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.

The campaign recently spotted by the experts at Juniper Threat Labs aimed at stealing credentials and payment-card data from Amazon.com, American Express, AT&T, Bank of America, Capital One, Chase, Discover, eBay, E-Trade, J.P. Morgan, Charles Schwab, T-Mobile, USAA, Verizon Wireless, Wells Fargo and others.

“This new campaign changes tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and configurations.” reads the analysis published by Juniper, “Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as “.dat” files. This campaign also takes advantage of the COVID-19 pandemic by using keywords such as COVID-19 and FMLA in email sender names and attachment names.”

Unlike previous variants, the latest variant injects into msiexec.exe to manipulate the browser traffic and uses steganography for downloading its modules and configurations.

Upon opening the malicious document, it drops a first-stage binary that in turn fetches a second-stage loader. The loader retrieves another loader, which downloads a third-stage payload, which unpacks an embedded binary in its resource and executes it. Once unpacked, it will download the main module of the IcedID banking trojan as a PNG file from the following link:

  • https://cucumberz99[.]club/image?id={01XXXXXXXXXXXXXXXXXXXXXX}This image is stored at that specific location so that when the third stage loader starts, it does not need to download it again. The size of the image is more than 600KB and embedded in it is the encrypted IcedID main module. The encryption algorithm is RC4 and the keys are also embedded in the image at specific offset. 

“The decrypted code is not a complete PE image, as it does not contain any header. Most of its strings are also encrypted, which makes analysis even harder.” continues the analysis.

“[The second-stage loader] first unpacks itself by reading a binary file embedded in its resource, decrypting it and executing in memory. It will then loop on [several] domains, using WinHTTP queries,” according to the analysis. “All of the…queries are normal, except for connuwedro[.]xyz. It does this to evade detection by trying to blend to normal traffic.”

The third-stage loader installs IcedID on the target machine, the malware achieves persistence by creating a scheduled task that will execute every hour.

Once the IcedID main module code is injected into the msiexec.exe process, it will start connecting the command-and-control server and await commands. The malware core’s main function is to steal financial data using webinjects. The IcedID watches for specific browser process names:

  • Firefox.exe
  • Chrome.exe
  • Iexplore.exe

If the victim opens a browser window, the IcedID malware creates a local proxy that listens on 127.0.0.1:56654; hooks APIs on the browsers; and generates a self-signed certificate in the %TEMP% folder.

“With these three things, all connections to the browser are proxied to msiexec.exe and it achieves full control of the browser,” continues the analysis. “It will monitor browser activity related to financial transactions and inject forms on the fly to try to steal credit-card details.”

Juniper researchers concluded that the IcedID is a very sophisticated malware developed by high-skilled attackers that continuously update their arsenal.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IcedID)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment