IcedID Banking Trojan Surges: The New Emotet?

A widespread email campaign using malicious Microsoft Excel attachments and Excel 4 macros is delivering IcedID at high volumes, suggesting it’s filling the Emotet void.

The banking trojan known as IcedID appears to be taking the place of the recently disrupted Emotet trojan, according to researchers.

IcedID (a.k.a. BokBot), bears similarities to Emotet in that it’s a modular malware that started life as a banking trojan used to steal financial information. Increasingly though, it’s being used as a dropper for other malware, researchers noted – also just like Emotet.

The malware has been circulating at increasing rates, thanks to a spate of email campaigns using Microsoft Excel spreadsheet file attachments, according to Ashwin Vamshi and Abhijit Mohanta, researchers with Uptycs.

In fact, in the first three months of the year, Uptyc’s telemetry flagged more than 15,000 HTTP requests from more than 4,000 malicious documents, the majority of which (93 percent) were Microsoft Excel spreadsheets using the extensions .XLS or .XLSM.

If opened, targets would be asked to “enable content” to view the message. Enabling the content allows embedded Excel 4 macro formulas to execute.

“.XLSM supports the embedding of Excel 4.0 macro formulas used in Excel spreadsheet cells,” according to an analysis published on Wednesday. “Attackers leverage this functionality to embed arbitrary commands, which usually download a malicious payload from the URL using the formulas in the document.” The URLs generally belong to legitimate but compromised websites, they added.

Looking deeper into the activity, they were able to see similarities between all of the attacks, suggesting a coordinated campaign. For instance, the documents were all given vanilla business-related names, such as “overdue,” “claim” or “complaint and compensation claim,” along with a random series of numbers. And, the HTTP requests all delivered a second-stage executable file (either an .EXE or .DLL file), obfuscated with a fake extension — either .DAT, .GIF or .JPG.

In reality, the files were either the IcedID or QakBot malware families.

From an evasion-detection perspective, the macros also all used three techniques to stay hidden: “Upon investigation, we identified three interesting techniques used to hinder analysis,” the researchers noted. “Hiding macro formulas in three different sheets; masking the macro formula using a white font on white background; and shrinking the cell contents and making the original content invisible.”

Will IcedID Replace Emotet?

Emotet, which up until its disruption in January was packaged into an average of 100,000 to a half-million emails sent per day – that prompted Europol to call it the “world’s most dangerous malware.”

Emotet is often used as a first-stage loader, tasked with retrieving and installing secondary malware payloads, including Qakbot, the Ryuk ransomware and TrickBot. Its operators often rent its infrastructure to other cybercriinals in a malware-as-a-service (MaaS) model. However,

“Operation LadyBird,” a global takedown effort at the beginning of the year, disrupted hundreds of botnet servers supporting Emotet and eliminated active infections on more than 1 million endpoints worldwide. The malware hasn’t really seen a resurgence since then, leaving a void in the cybercrime market when it comes to initial access options.

The volume of circulating IcedID samples led Uptycs researchers to believe that it’s a likely candidate to  become the new Emotet.

“Based on this increasing trend, we believe that IcedID will emerge as an incarnation of Emotet after its disruption,” Vamshi and Mohanta noted. “IcedID has also been recently reported to deploy ransomware operations, moving towards a MaaS model to distribute malware.”

The good news is that companies have options to protect themselves against these well-known trojans.

“IcedID, Emotet, and many other malware strains share a few elements that make it easier to stop them from affecting an infrastructure,” Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. “They might be sophisticated in the way they hide in an office document, however, that is only the first step of the infection chain. IcedID is not different from others as it also attempts to download – to drop – additional components. For these first two steps, monitoring system integrity is key, control changes happening on any device.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 

Suggested articles