- Table of contents
IcedID Stealer Man-in-the-browser Banking Trojan
IcedID stealer (Also known as BokBot) was first discovered at the end of 2017, believed to be a resurgence of the NeverQuest banking Trojan. It is a modular banking trojan that uses man-in-the-browser (MitB) attacks to steal banking credentials, payment card information and other financial data.
The stealer possesses relatively sophisticated functionality and capabilities such as web injects, a large remote access trojan (RAT) arsenal and a VNC module for remote control. Additionally, the use of steganography to hide configuration data along with anti-VM detection and anti-debugging techniques complicate detection and analysis.
IcedID’s typical range of targets includes the customers of banks and telecommunications organizations worldwide leading to impacts including brand abuse, funds theft and customer data breaches.
Cyberint have recently observed an ongoing campaign targeting users in the APAC region with an apparent focus on the Philippines and Japan.
The IcedID stealer is traditionally delivered by a malspam lure, with Microsoft Word attachments weaponized with malicious Macros, based on Emotet.
While the majority of recently detected lure documents were written in English and targeted a wide range of users, localized campaigns have also been reported. One such recent example targeted users located in Japan with lure documents in Japanese, likely indicating that the threat actor behind this threat is relatively sophisticated and may focus on specific geographies as potential targets, adjusting their arsenal accordingly.
Whilst it is not possible to attribute IcedID to a specific group, past indications suggest a potential link to the following threat actors:
- Lunar Spider
As a generic malspam campaign that utilizes Emotet as the delivery mechanism, the lures are comprised from a generic subject (quotation/request/Document/report) being sent to the targeted user.
The email contains an attached ZIP folder protected by a password provided within the email body. At the next stage, once the user extracts the document file from the ZIP folder, they will be requested to ‘Enable Content’ (Figure 1) within Microsoft Word, leading to malicious Macro code being executed whilst decoy content (Figure 2) is displayed.
Figure 1 – Prompt to relax security controls
Figure 2 – Decoy document content
Document metadata detected as Russian
Threat actor email address, used for the file creation
Once executed, the macro will write a variety of files to the drive, used for the download and decryption of the latest IcedID trojan, including an up-to-date configuration file containing a list of target bank and telecommunication organizations. In some cases, this was observed as a DLL file, where in others it was a steganographically obfuscated PNG file (Figure 3).
Figure 3 – PNG Configuration Payload
Although surfaced in 2017, many iterations of this trojan have been well-investigated by numerous security researchers globally, but for the past year (circa January 2020), several new techniques were added in order to detect and evade sandboxes, and to generally hide the execution process taking place.
It was also noticed that the malware creates a new folder with a random name, where it saves a downloaded configuration in encrypted form (Figure 4).
Figure 4 – Download directory
Inside the %TEMP% folder, it drops some non-malicious helper elements: sqlite32.dll (that will be used for reading SQLite browser databases found in web browsers), and a certificate that will be used for intercepting traffic (Figure 5).
Figure 5 – Temp directory
Once infected, the IcedID trojan, known as a banking Trojan, steals data related to banking transactions by injecting implants into browsers, API hooks and a ‘Man-in-the-Browser’ (MitB) attack to manipulate visited webpages.
Figure 6 – Web-inject strings found in memory
Figure 7 – Mozilla Firefox Web-inject
Figure 8 – Injected code snippet executed on the client side (Example code available via GitHub)
The core bot that runs inside the memory of the svchost process observes other processes running on the system and injects implants into browsers, for example as seen in Mozilla Firefox (Figure 7).
The hooked scripts, loaded from modified browser DLLs, communicate with the main bot process residing inside the svchost process. The main bot coordinates the work of all the injected components and exfiltrates stolen data to the C2 server.
In order to properly hide and encrypt its communication processes, all C2 communications are made over HTTPS using the trojan’s own certificate (Figure 9).
- Notify customer care of the ongoing threat in case of funds loss.
- Cyberint recommends that customers educate their end-users and always check for unusual browser behaviors that may lead to account compromise or funds theft.
- Phishing awareness to the end-users is advised.
- Usage of a modern, updated AV solution is advised.
- MFA should be enabled on all of the end-user accounts.
Indicators Of Compromise
Based on strings extracted from IcedID samples, the following brands and/or organizations appear to be targeted:
Bank Of America
The following SHA256 hashes relate to recently observed IcedID malware samples:
Command & Control Infrastructure
The following command and control (C2) IP addresses have recently been observed as IcedID infrastructure:
The following techniques have been observed in recent IcedID campaigns:
|T1027 – Obfuscated Files or Information||Defense Evasion|
|T1027.002 – Software Packing||Defense Evasion|
|T1027.003 – Steganography||Defense Evasion|
|T1047 – Windows Management Instrumentation||Execution|
|T1053.005 – Scheduled Task/Job: Scheduled Task||Execution, Persistence, Privilege Escalation|
|T1059.005 – Command and Scripting Interpreter: Visual Basic||Execution|
|T1069 – Permission Groups Discovery||Discovery|
|T1071.001 – Application Layer Protocol: Web Protocols||Command & Control|
|T1082 – System Information Discovery||Discovery|
|T1087.002 – Account Discovery: Domain Account||Discovery|
|T1105 – Ingress Tool Transfer||Command & Control|
|T1106 – Native API||Execution|
|T1137.001 – Office Application Startup: Office Template Macros||Persistence|
|T1185 – Man in the Browser||Collection|
|T1204.002 – User Execution: Malicious File||Execution|
|T1218.007 – Signed Binary Proxy Execution: Msiexec||Defense Evasion|
|T1529 – System Shutdown/Reboot||Impact|
|T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||Persistence, Privilege Escalation|
|T1553.002 – Subvert Trust Controls: Code Signing||Defense Evasion|
|T1555.003 – Credentials from Password Stores: Credentials from Web Browsers||Credential Access|
|T1573.002 – Encrypted Channel: Asymmetric Cryptography||Initial Access|