IcedID Expanding Target List
Although ransomware has been getting all the headlines in the news, banking trojans continue to be an issue. New variants are constantly evolving and offering new risks. At UAB, we have been looking closely at banking trojans such as Ramnit, TrickBot, IcedID and so on. Recently, Cliff Wilson, malware analyst at UAB malware lab, contributed in establishing that TrickBot is spamming. TrickBot was silent for the past week, so he was asked to take a dive in at IcedID banking trojan.
IcedID Banking Trojan
This analysis focuses on the malware sample with the hash:
This sample is identified by ESET as “Win32/Spy.Icedid.A”, although many AV engines, including Ahn, Aegis, and Kaspersky, refer to it as being part of the Andromeda family. As with most malware, most AV engines offer the meaningless identifier “Generic” such as AVG (Win32:Malware-Gen), McAfee (Generic Trojan.i), Symantec (Trojan.Gen.2), TrendMicro (TROJ_GEN.R002C0WL517),
While testing this sample, we noticed the same behavior we have observed before: web injects and phishing pages on financial websites. During further analysis of the IcedID process and its web-injects, Cliff made an interesting observation.
The URL https[:]//financebankpay[.]com/ was found in the web-injects and contains dozens of ‘mock’ web pages and phishing pages to IcedID’s targeted sites. The pages we have observed in the past IcedID sample were present: pages for Discover, Citi, Chase, Amazon, Amex and few others. Several new pages were discovered, which we had not observed before.
FinanceBankPay.com was purchased from Chinese registrar EraNet and hosted on a Russian IP address. The WHOIS information was bogus, borrowing the name of a man from Texas, but saying he lived in the city of “Kileen” with the state “DK”, using a throw-away email from “pokemail.net” for his WHOIS email address.
When visiting a targeted URL, the webinject was loaded by the malware by pulling a page from FinanceBankPay.com from one of the following paths, and presenting it as if it were content from the true brand.
cashpro (a banking portal for Bank of America)
ktt_key (Key Bank)
live (Microsoft email services)
A few examples of the new emulated pages with injected code are as follows.
|Fig. 1: Login Page for Google Account|
|Fig. 2: Login Page for Outlook|
US based banks
|Fig 3. Stealing credit card details and PIN for a US bank|
|Fig. 4: Business Portal Login for US Based Bank|
- created the directory \onaodecan in \AppData\Local
- created “sonansoct.exe” within this directory
- soon after created a .TMP file within \AppData\Local\Temp
- opened this file as a process, then closed the main process
- this file was updated throughout the testing period
- other .TMP files were also created, but not executed (further analysis of these files is needed)
- any visited URL could be found in the memory strings of the .TMP process after visiting
This is a Security Bloggers Network syndicated blog post authored by Malware Secrets. Read the original post at: CyberCrime & Doing Time