IcedID – a new sophisticated banking Trojan: a technical analysis by Quick Heal Security Labs

Credit to Author: Bajrang Mane| Date: Wed, 29 Nov 2017 13:23:03 +0000

IcedID is a new player in the banking Trojan family. It has a modular architecture and capable of stealing banking credentials of the user by performing a man-in-the-middle attack (MITM). IcedID sets up a local proxy and redirects all Internet traffic through it. Additionally, it can download and execute components required for stealth. Infection vector Normally, IcedID spreads through spam email or dropped by other malware families. In our analysis, we found the family to be Emotet. In early 2017, Emotet was widely used to spread other banking Trojans such as Qkabot and Dridex. IcedID contains a network spreading module which is rarely observed in other banking Trojans. Looking at the API sequence in IcedID, it has adopted similar techniques which were successfully used by malware such as BadRabit, Petya/Not-Petya. Analysis of sample On execution, the sample drops a copy of itself on to the folder %LOCAL_APPDATA% with a random name in a randomly named folder. The name of the dropped file and folder is the same and contains 9 characters. The name of the dropped file is generated using a security identifier (SID) of the current user. Below is the code that generates the SID for the current logged on user. Fig 1. Generating SID The name of the dropped file with a random name in a randomly named folder. “%LOCALAPPDATA%[a-z]{9}[a-z]{9}.exe” Example: – “C:Documents and SettingsAdministratorLocal SettingsApplication Datahomatlunahomatluna.exe” It maintains its persistence by creating a registry entry in “Run”. “HKCUSoftwareMicrosoftWindowsCurrentVersionRunhomatluna” Next IcedID writes a RSA crypto-key to the system into the AppData folder. It then writes a certificate file in %TEMP% folder. Example – “C:Documents and SettingsAdministratorLocal SettingsTemp137194B.tmp” Network activity It creates two socket connections. One for local proxy and another to serve as a backdoor for CnC communication. In our analysis, the port with the local proxy bind is 49158 and the backdoor is created on port number 49161. It creates a local proxy. Using certificates of different banks and custom module, it implements its own SSL layer. Using this it performs MITM. IcedID can intercept all traffic and extract user credentials from it. Once the malware enters the system, it sends the bot ID and basic system information to the CnC server through the POST request as seen in Fig 1 and Fig 2. Fig 2. Code to get basic system information Fig 3. Post basic system info Following is the decoded post request details to be sent: K – System Name B – BOT ID L – Work Group M – OS Version IcedID’s communication with CnC takes place over an encrypted SSL whose certificate is decided by the malware itself from the certificate store. The temp file which is dropped by the malware is used to store the certificate. The below code is used for certificate enumeration. Fig 4. Code to enumerate certificate Fig 5. Certificate stored in the tmp file Spreading in the network IcedID is different from other banking Trojans because it can spread within the network. It first finds the live system on the local network and copies itself on to the new system. Fig 6. Connects to other machines Fig 7. Drop a copy on the other system on the network Indicator of compromises csuwbru[.]net comeontrk[.]com medicalciferol[.]com 38921f28bb74fea2cab6e70039ee65f3 d982c6de627441765c89da5cfeb04d6f 82d6e69df2277073d4aaacd6994ee033 Quick Heal successfully detects IcedID as Trojan.IcedID. The malware’s spreading behavior makes it more aggressive than the previously seen banking Trojans. Prevention tips Install an antivirus and keep it updated. Keep your Operating System and software up-to-date. Do not click on links or download attachments from unknown, unexpected or unwanted sources.   Subject Matter Expert Piyush Bansal | Ghanshyam More, Quick Heal Security Labs The post IcedID – a new sophisticated banking Trojan: a technical analysis by Quick Heal Security Labs appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.