IcedID Banker is Back, Adding Steganography, COVID-19 Theme

icedid new variant banking trojan

The malware has boosted its anti-detection capabilities in a new email campaign.

A new version of the IcedID banking trojan has debuted that notably embraces steganography – the practice of hiding code within images – in order to stealthily infect victims. It has also changed up its process for eavesdropping on victims’ web activity.

Researchers at Juniper Threat Labs have uncovered an email spam campaign circulating in the United States spreading the malware. The messages use the COVID-19 pandemic and the Family and Medical Leave Act (FMLA) as their theme, including using related keywords in email sender names and attachment names.

The attachments are boobytrapped with malicious macros that, if opened, execute the IcedID banking trojan, which has been around since 2017. IcedID specializes in mounting man-in-the-browser attacks to intercept and steal financial information from victims. In the latest campaign, it harvests credentials and payment-card data from Amazon.com, American Express, AT&T, Bank of America, Capital One, Chase, Discover, eBay, E-Trade, J.P. Morgan, Charles Schwab, T-Mobile, USAA, Verizon Wireless, Wells Fargo and others.

This latest variant changes up its infection tactics by injecting into msiexec.exe to insert itself into browser traffic, and using full steganography for downloading its modules and configurations, researchers said.

“Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as .DAT files,” according to a Thursday posting.

Steganography at Work

When a user opens the malicious document, it drops a first-stage binary, which in turn fetches a second-stage loader. This second loader’s purpose is to download yet another loader, which retrieves another, third-stage piece of code

“[The second-stage loader] first unpacks itself by reading a binary file embedded in its resource, decrypting it and executing in memory. It will then loop on [several] domains, using WinHTTP queries,” according to the analysis. “All of the…queries are normal, except for connuwedro[.]xyz. It does this to evade detection by trying to blend to normal traffic.”

The queries look for a specific response from connuwedro[.]xyz that contains a .PNG image file with the tag “IDAT.” The loader then decrypts this .PNG file using the RC4 algorithm and executes the binary that’s embedded within it.

The binary –a third-stage loader that finally installs IcedID on the target machine – is saved in the %APPDATA% folder and, for persistence, it creates a scheduled task that will execute every hour.

“Similar to the second stage, it applies the same technique of unpacking itself and using steganography,” according to Juniper. “It unpacks an embedded binary in its resource and executes it. Once unpacked, it will download the IcedID main module as a .PNG file.”

The image is saved in a directory, embedded with the encrypted IcedID main module. The image features some tricks to thwart analysis, Juniper noted.

“The encryption algorithm is RC4 and the keys are also embedded in the image at specific offset,” according to the post. “The decrypted code is not a complete PE image, as it does not contain any header. Most of its strings are also encrypted, which makes analysis even harder.”

Injecting into Msiexec.exe

The main module first spawns a suspended process using msiexec.exe – MSI is a legitimate installer package file format used by Windows to deploy applications. Then, IcedID issues a series of API calls to inject itself into that remote process.

“Using msiexec.exe /i {random name}.msi is a simple technique to try to conceal itself and look like a normal installation of an MSI application,” said the researchers.

The IcedID main module code injected into the msiexec.exe process then beacons out to a command-and-control (C2) server and awaits commands, which include downloading configuration updates, executing additional code and files, uploading files, collecting system information – and, most importantly – extracting passwords stored in browsers and mail applications.

Then, it monitors for users getting online – specifically opening the Firefox, Chrome or Internet Explorer. If the victim opens a browser window, IcedID creates a local proxy that listens on 127.0.0.1:56654; hooks APIs on the browsers; and generates a self-signed certificate in the %TEMP% folder.

“With these three things, all connections to the browser are proxied to msiexec.exe and it achieves full control of the browser,” explained the researchers. “It will monitor browser activity related to financial transactions and inject forms on the fly to try to steal credit-card details.”

In all, the latest version of IcedID exhibits several layers of sophistication, according to the analysis, including the use of msiexec, full steganography, and the approach of using blended communication with normal traffic to hide. This, combined with the use of HTTPS communication and string encryption, shows that the malware’s authors were mainly interested in bolstering the malware’s anti-detection capabilities in this version, researchers said.

“IcedID is a very complex malware and there is no doubt the threat actors behind this are very much capable, with constant updates to their arsenal,” Juniper researchers concluded. “In summary, this latest IcedID campaign focused on evasion.”

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.

Suggested articles