IcedID Banking Trojan combine with Ursnif/Dreambot for expansion
The Cisco Talos team recently noticed that the Bank Trojan IcedID infection is increasing rapidly. After further analysis, it was discovered that the bank Trojan had rarely used the Emotet Trojan to spread the word in its new communication activities, but instead turned to use the Rovnix Trojan.
IcedID is a new banking Trojan discovered and notified by the IBM X-Force Security Research Team in November 2017. According to IBM X-Force’s description, IcedID was discovered through another notorious Emotet bank trojan.
The Talos team stated that the infection of IcedID has suddenly increased since the end of February this year. As in November 2017, some infections can be traced back to Emotet. But more infections will be traced back to emails with malicious Microsoft Word documents containing macros. When a malicious document opens and the macro is enabled, Ursnif/Dreambo, another Trojan will be downloaded and executed, and then the IcedID will be downloaded.
The Talos team pointed out that the new communication activities have two major characteristics:
- The targeted nature of the emails that use spear-phishing techniques to entice victims into opening the malicious Microsoft Word documents.
- The minimalist code injection technique used by IcedID that improves on existing code injection techniques, and is harder to detect.
IcedID Trojan will use the simplified code injection technology to inject malicious code into the svchost.exe process of the Windows operating system program and does not need to create a new thread in the target process
There is not much difference with other phishing activities. When the victim opens a malicious document, the victim will be asked to enable macros to view the content. Once enabled, the self-running script will download and execute a Bitcoin mining program and the IcedID Trojan.
Security researchers said that the malicious features of the IcedID Trojan can be compared with many major bank Trojans, such as Zeus, Gozi, and Dridex. For a long time, it may be a big threat to financial cybercrime. Although it still targets the United States and the United Kingdom mainly for its attacks, no one can guarantee that it will not spread to other countries and regions.