Join our webinar hosted by Cyberint's CEO

Financial Services

IcedID Stealer Man-in-the-browser Banking Trojan

Executive Summary

IcedID stealer (Also known as BokBot) was first discovered at the end of 2017, believed to be a resurgence of the NeverQuest banking Trojan. It is a modular banking trojan that uses man-in-the-browser (MitB) attacks to steal banking credentials, payment card information and other financial data.

The stealer possesses relatively sophisticated functionality and capabilities such as web injects, a large remote access trojan (RAT) arsenal and a VNC module for remote control. Additionally, the use of steganography to hide configuration data along with anti-VM detection and anti-debugging techniques complicate detection and analysis.

IcedID’s typical range of targets includes the customers of banks and telecommunications organizations worldwide leading to impacts including brand abuse, funds theft and customer data breaches.

Cyberint have recently observed an ongoing campaign targeting users in the APAC region with an apparent focus on the Philippines and Japan.

The IcedID stealer is traditionally delivered by a malspam lure, with Microsoft Word attachments weaponized with malicious Macros, based on Emotet.

While the majority of recently detected lure documents were written in English and targeted a wide range of users, localized campaigns have also been reported. One such recent example targeted users located in Japan with lure documents in Japanese, likely indicating that the threat actor behind this threat is relatively sophisticated and may focus on specific geographies as potential targets, adjusting their arsenal accordingly.

Whilst it is not possible to attribute IcedID to a specific group, past indications suggest a potential link to the following threat actors:

  • Lunar Spider
  • TA2101

Delivery

As a generic malspam campaign that utilizes Emotet as the delivery mechanism, the lures are comprised from a generic subject (quotation/request/Document/report) being sent to the targeted user.

The email contains an attached ZIP folder protected by a password provided within the email body. At the next stage, once the user extracts the document file from the ZIP folder, they will be requested to ‘Enable Content’ (Figure 1) within Microsoft Word, leading to malicious Macro code being executed whilst decoy content (Figure 2) is displayed.

IcedID Stealer Man-in-the-browser Banking Trojan_1

Figure 1 – Prompt to relax security controls

IcedID Stealer Man-in-the-browser Banking Trojan_2

Figure 2 – Decoy document content

IcedID Stealer Man-in-the-browser Banking Trojan_3 Document metadata detected as Russian

IcedID Stealer Man-in-the-browser Banking Trojan_4

Threat actor email address, used for the file creation

Once executed, the macro will write a variety of files to the drive, used for the download and decryption of the latest IcedID trojan, including an up-to-date configuration file containing a list of target bank and telecommunication organizations. In some cases, this was observed as a DLL file, where in others it was a steganographically obfuscated PNG file (Figure 3).

IcedID Stealer Man-in-the-browser Banking Trojan_5

Figure 3 – PNG Configuration Payload

Although surfaced in 2017, many iterations of this trojan have been well-investigated by numerous security researchers globally, but for the past year (circa January 2020), several new techniques were added in order to detect and evade sandboxes, and to generally hide the execution process taking place.

It was also noticed that the malware creates a new folder with a random name, where it saves a downloaded configuration in encrypted form (Figure 4).

IcedID Stealer Man-in-the-browser Banking Trojan_a

Figure 4 – Download directory

Inside the %TEMP% folder, it drops some non-malicious helper elements: sqlite32.dll (that will be used for reading SQLite browser databases found in web browsers), and a certificate that will be used for intercepting traffic (Figure 5).

IcedID Stealer Man-in-the-browser Banking Trojan_b_

Figure 5 – Temp directory

Infection

Once infected, the IcedID trojan, known as a banking Trojan, steals data related to banking transactions by injecting implants into browsers, API hooks and a ‘Man-in-the-Browser’ (MitB)[1] attack to manipulate visited webpages.

As observed (Figure 6) in the memory of an infected host, the svchost process contains strings that reveal the configuration of these ‘web-injects’, that being modular HTML and JavaScript code elements that are injected into the webpage of a targeted brand to steal data.

IcedID Stealer Man-in-the-browser Banking Trojan_c

Figure 6 – Web-inject strings found in memoryIcedID Stealer Man-in-the-browser Banking Trojan_d

Figure 7 – Mozilla Firefox Web-inject

IcedID Stealer Man-in-the-browser Banking Trojan_8

Figure 8 – Injected code snippet executed on the client side (Example code available via GitHub[2])

The core bot that runs inside the memory of the svchost process observes other processes running on the system and injects implants into browsers, for example as seen in Mozilla Firefox (Figure 7).

The IcedID module running inside the browser’s memory is responsible for applying the web-injects and installing malicious JavaScript into targeted webpages causing them to be executed on the client side (Figure 8).

C2

The hooked scripts, loaded from modified browser DLLs, communicate with the main bot process residing inside the svchost process. The main bot coordinates the work of all the injected components and exfiltrates stolen data to the C2 server.

In order to properly hide and encrypt its communication processes, all C2 communications are made over HTTPS using the trojan’s own certificate (Figure 9).

Recommendations

  • Notify customer care of the ongoing threat in case of funds loss.
  • Cyberint recommends that customers educate their end-users and always check for unusual browser behaviors that may lead to account compromise or funds theft.
  • Phishing awareness to the end-users is advised.
  • Usage of a modern, updated AV solution is advised.
  • MFA should be enabled on all of the end-user accounts.

Indicators Of Compromise

Targeted Brands/Organizations

Based on strings extracted from IcedID samples, the following brands and/or organizations appear to be targeted:

  • Amazon.com
  • American Express
  • AT&T
  • Bank Of America
  • Capital One
  • Chase
  • CIBC
  • Comeriсa
  • Dell
  • Discover
  • Dollar Bank
  • eBay
  • Erie Bank
  • E-Trade
  • Frost Bank
  • Halifax UK
  • Hancock Bank
  • Huntington Bank
  • J.P. Morgan
  • Lloyds Bank
  • M&T bank
  • Centennial Bank
  • PNC
  • RBC
  • Charles Schwab
  • SunTrust Bank
  • Synovus
  • T-Mobile
  • Union Bank
  • USAA
  • US Bank
  • Verizon Wireless
  • Wells Fargo

IcedID Samples

The following SHA256 hashes relate to recently observed IcedID malware samples:

  • 00ec5cc40b91832adc257b43cb28f2fe0734c6e1761ae5020bd8178116ed005c
  • 02c2cace0eab2cb902cf567be3524616db1747abd79c3417d3762452c604ab85
  • 08cc79fac123eefee7e05e3568a0aa6d219e43d22b0679ea5d7a3ffaf4337403
  • 08d1f171b424a35c7aeebb55da2077078f62fae847616a4f8c80f3e3e11d6573
  • 10164d00c17bacb88eca79a8a836176ac49bfb7547ed90efcb86d19cdfda9dcb
  • 12b73194a373f12d89a83152bd56ee02054dd20030cb6b421b7e79e70e1d2484
  • 17f2d25fcba0ad909c0561179407b4bb37917b643b2c181dcdcb4c3cec743a5c
  • 213347251fc9f4b6812547ecfef2b3783789067ccffee1521eb88c36003a742e
  • 36d5d2317b7172e45229c24b2870bd827a8bdc7204fe2cd70aedb74c81e75126
  • 3df7246090c8b2a9c9d19d68ca4bd2908247494a8badea39c00e3f20d60dfcae
  • 3eace4aacf5dc5dc624ab72cf84b7c0f476ee0ff0de267d0976e25d2eee9f5d9
  • 3f1b388938f1e6c6920e54639b8a3dafa9e381f3ef45e855123941e83bad64c7
  • 3f8bc3cde5654bd8ac467a2efd1f926808c5915a6fd3e3f1d32edd13eaf3f1b1
  • 4e7b3116a6589afe645b3e42e0ee9d0fa9c41c7847bca52e1be85ccd1058556b
  • 550e7c5e79a0455d26f02e84921b7c40645d0b361c1e09e1b00bc79a930b2e85
  • 56de520fa4445ccabe60373b039299f5709f291ff594482c92670d1eb8b911f6
  • 6297e0fa6229c7f329f66227656bbf99d1329aaa48341c2f750c78f1937ac952
  • 65ca5c2ea9b9eb4d10ab9d91e3928bdff5f27883a5a4c85a4e0871b56ab3533f
  • 6a6243c111cbf9a94177835ab02a8378497ed18b5ba1d6fdceb03e9410e08cec
  • 6bae8f2c4c1b730825cc5e9ce7bae35039eb08833b7310bf4f444d2524b1601f
  • 6df240658329d6c21a7d6669c47ad824cb0d8af76cca197da2d919f27fc4b70e
  • 6eb53a11d07dd708ecb63b036145e7e942a61eb693cc3353c612569121b4a110
  • 732a12f4a7b85176abfc17c142e83761d7a957672852af0d9069a9bc47defeb1
  • 75509601134e810e7ae3dc36e8b9abff1025c0a0dada3b21ead7e24fd5f3ce2c
  • 79957427faa2eed376f597aba9eb43fe9789e715833026fefd50458c73ee32b4
  • 7a1a59257242c047bb2864abb448e00cfc8b2d281faab4bbfd3ce790c9c27400
  • 7a371fcda4e07d7d7e516eed24c84908a601041bc00bb8736680d0b2349e3dec
  • 7d6cdbaac836d0c95876c7c669687c933d3097477680864d9d4d6b7fb0c08345
  • 7df70a77a6d20050c3d38bc30a2ccfeef4523f811c128717dbfd82325b50bbc8
  • 7f19267b62de5efe0bbcd716c9f481e108fb60f4d35435595ae27489d08f7e0d
  • 7fde0ff1061d3d15fe584f6ea186e1a23b9ce07123ff9dd70f71fcb51c099369
  • 8be1e875a92483a1301d9144b5cd8897951ccb3ca811c99f10e51fff67552166
  • 8c7dc92c6019d80364cda2d6ce19b157ac77b013731415d825b1a30f93c6d56d
  • 9bb46cd5d1047a3694b3a3862c7ec16d0c3e7838d91c1361760f92958897be5c
  • a4f88c40f615a527c16159d41c2798ff452c17a394e96d3b028516c46f88462f
  • a7d8b3ab991c3be2e0f60fd748be9b55072f65b4cc0a36dc0d3c470ac3ea33b2
  • b559a7560009ca33ad205d32122cb67538dd392ea4a4f5feffa521288810e5bd
  • b8a1f0962411b5e5b5bc5e2c77b56c5a2f0fdfc5fe3c3a5857466fbfe9ac66bd
  • b9d50f2ddfaa200c7c4695a9eb59c81347b52d53383534997c8b318b75be07d1
  • ba92631f803bed252ce1839612315ab40653b2eff3e5f12edc38e4a66e004ccb
  • baf2c1ade873167029a7ebc83ba56dca256ca91bd527a451ddde2efa3e3b6ddb
  • c6019a1c6d66bc6aae0b6c1502ff241dd9cd00b60ef5e45b2dbd38571f40fb1f
  • c6ea88ec4f01251649010e4a364374c90fc9f5bb6c22f1368ee5f222ea5e9b60
  • c7bb632d52a485b9a2be160b2f8fa29abb3cd840ef0e7747f5d509846dcbf38b
  • ca6738bd50f5eb9a4559f58d5c5ee6e8045a30fd306c110d760dcc325c9aacff
  • cab24ced596b142b9bb38e691addea16c72b40d4b5f96865a25052ff11aeb6e0
  • cdba1a0f75ecbeda42243f44cd8ac9b9fcd90e9213d8b4f8280e90b956635030
  • ce36a13c5f837b9a1658ea5d77f1114b16ce4dada582e47d646321e5dd7cb0c1
  • d35d93cbf992171905ec9c00f6c821850d3d1335c591df86f2dd3966d25f8ba0
  • d5baabfe5ca28dd041bea2504807dbcdb1ff91b5c8f7e74c16e56f5b810ea3b5
  • d9c7e8813b3d6c361e655a90c76b713bc90865819394df52e38e6012e48836b8
  • e77c51ee76cde36adf1ad4a2461a3d29e6964aa13fde870c4e6fad041cebbec8
  • eb1c15124298fa388784f270ceb0e6176dac3e65ad81f2e6951b1c4ce9381ea3
  • f540a652469981b7a0ba4337c228712888e1d9cf75a00ce17c3fd3775c9b2781
  • f6cba12a315620b39f172e496ade5dd6048cc09a6e454f9209284c73ffd055e2
  • f8ed31cb2708b5230a3ce326153dbe0a1821161ef5e8b4d9e4df1edcd536db3e
  • fc9565534d447bb7d5498aec1dcf1e0b933a7a717c159690529ba3b5ad7c9922

Command & Control Infrastructure

The following command and control (C2) IP addresses have recently been observed as IcedID infrastructure:

  • 149.154.64.179
  • 178.250.156.74
  • 178.250.157.144
  • 185.219.43.85
  • 185.98.87.6
  • 193.109.79.219
  • 193.201.126.18
  • 194.61.2.224
  • 45.12.4.206
  • 45.128.206.80
  • 45.129.237.168
  • 45.150.64.102
  • 45.150.64.57
  • 45.8.124.36
  • 45.89.67.169
  • 5.253.61.235
  • 62.109.14.179
  • 80.85.158.53
  • 83.166.242.27
  • 93.189.41.223

References

[1] https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/ 

MITRE ATT&CK

The following techniques have been observed in recent IcedID campaigns:

 Technique  Tactic
T1027 – Obfuscated Files or Information Defense Evasion
T1027.002 – Software Packing Defense Evasion
T1027.003 – Steganography Defense Evasion
T1047 – Windows Management Instrumentation Execution
T1053.005 – Scheduled Task/Job: Scheduled Task Execution, Persistence, Privilege Escalation
T1059.005 – Command and Scripting Interpreter: Visual Basic Execution
T1069 – Permission Groups Discovery Discovery
T1071.001 – Application Layer Protocol: Web Protocols Command & Control
T1082 – System Information Discovery Discovery
T1087.002 – Account Discovery: Domain Account Discovery
T1105 – Ingress Tool Transfer Command & Control
T1106 – Native API Execution
T1137.001 – Office Application Startup: Office Template Macros Persistence
T1185 – Man in the Browser Collection
T1204.002 – User Execution: Malicious File Execution
T1218.007 – Signed Binary Proxy Execution: Msiexec Defense Evasion
T1529 – System Shutdown/Reboot Impact
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1553.002 – Subvert Trust Controls: Code Signing Defense Evasion
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers Credential Access
T1573.002 – Encrypted Channel: Asymmetric Cryptography Initial Access

Uncover your compromised credentials from the deep and dark web.

Fill in your business email to start.