IcedID Banking Trojan Sample

Technical Analysis and Solution

Date of Release: November 17, 2017

Overview

Recently, the IBM X-Force research team discovered a brand new banking

Trojan dubbed IcedID. This Trojan was first found spreading in the wild in

September 2017, mainly targeting systems used in the financial sector of US.

According to X-Force research, this Trojan contains a malicious code module that

provides most functions current banking Trojans such as the Zeus Trojan have.

Currently, this Trojan targets mainly banks, payment card providers,

mobile phone service providers, webmail, e-commerce websites, and the like in

the US, as well as two major banks in the UK.

Background

On November 14, 2017, researchers discovered that a banking Trojan

named IcedID spreading with the aid of the Emotet Trojan, mainly targeting

banks and other financial institutions within the territory of US. Specifically,

when an infected user accesses the website of a specific financial institution,

this Trojan steals the user's bank account password and other sensitive

information by redirecting him or her to a phishing web page.

Propagation and Infection

According to X-Force researchers, IcedID spreads with the help of the

Emotet Trojan rather than vulnerabilities. In other words, Emotet downloads

IcedID as a new payload to a victim host for infection. Emotet spreads largely

through phishing emails. Once successfully infecting a host, Emotet will

download more malware after it is installed silently.

In addition to common Trojan functions, IcedID is also able to spread itself

across networks. It monitors the victim's online activities by setting up a local

proxy. Its attack means includes website injections and sophisticated

redirections similar to the scheme used by Dridex and TrickBot.

Attack Process

Machine Analysis

NSFOCUS Threat Analysis Center (TAC) detected this malware and

provided the following analysis results:

High-Level Analysis

Execution Process

Start to runInject malicious

code to a

process

Execute payloadCommunicate

with the C&C

server via HTTPS

Upload

information of

the new bot

Add a key to the

registry to launch

upon system

startup

Reproduce itself

in the temporary

directory

Set up a proxy

to listen on port

49157

Monitor traffic and

launch injection

and redirection

attacks

Create a .tmp file in

the /Temp directory

to record the website

certificate

Scan for email

messages and

other sensitive

data

Sample Information

MD5 Value Sample Size

38921f28bb********b6e70039ee65f3 365 KB

6899d3b514********635d78357c087e 228 KB

d982c6de62********89da5cfeb04d6f 365 KB

de4ef2e2********29891b45c1e3fbfd 427 KB

Technical Analysis

This sample, once run, reproduces itself under the following registry path:

C:\Users\{UserName}\AppData\Local\cantimeam

Also, it creates a Run key in the registry to make sure that it can be

launched upon system startup.

This sample sets up a proxy which listens on port 49157 to monitor all

traffic of the host. Once a user attempts to access the target website, this

sample redirects him or her to a malicious website and then steals sensitive

information from this victim. For example, when a user submits an access

request to a bank website, this sample will bring him or her to a forged website

and steal the victim’s account information.

After successfully infecting this host, the malware posts information of the

new bot to the server. As shown in the following bot information, the parameter

b indicates a unique bot ID which is generated based on information of the

victim host.

/forum/viewtopic.php?a=0&b=29E5E0E72ADA89399B&d=0&e=42&f=2299390443&g

=1796157635&h=1710622345&r=2503557760&i=10495

All communication data between the sample and the C&C server are

secured with HTTPS. The sample uses a self-signed certificate as the HTTPS

root certificate and issues the victim a sub-certificate that is maliciously crafted

for the intended website.

The sample creates the 2ADA8939.tmp file under the system's temporary

directory C:\Users\{UserName}\AppData\Local\Temp, which make it possible to

obtain sensitive information undetected via a proxy port, even if the user

accesses an HTTPS website.

After comparing the sample code with the disclosed Pony sample code, we

find that the sensitive information stealing codes were reused in both samples.

The following is the sample's code for stealing Outlook information:

the sample’s code for stealing Windows Live Mail information:

the sample's code for stealing IncrediMail information:

the sample's code for stealing BatMail information:

the sample's code for stealing Becky information:

the sample's code for stealing PocoMail information:

IOC

C&C Domain Names

nejokexulag.example.com

nobleduty.com

tradequel.net

youaboard.com

ztekbowrev.com

IP Address Location

IP address: 185.127.26.227

Country code: RUS/RU

Country: Russian Federation

Latitude: 55.73860168457

Longitude: 37.606800079346

Suggestions

Secure Operations

1. Do not download and install software before ascertaining it’s safe.

2. Do not click on links/URLs included in suspicious emails.

3. Install antivirus software and keep it up to date.

Check and Countermeasures

1. Search the registry for the following key and delete it if found:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru

n\cantimeam

2. Delete the following directory including all executables under it:

C:\Users\{UserName}\AppData\Local\cantimeam

Ongoing Security Monitoring and Protection

The ongoing security monitoring and protection solution by NSFOCUS

provides a dynamic security protection system where NSFOCUS TAC detects

known and unknown threats which collaborates with on-premises NSFOCUS

Network Intrusion Prevention System (NIPS). In addition, NSFOCUS's

professional emergency response team, together with regional service teams

that offer onsite response and threat handling, provides rapid onsite

troubleshooting, problem handling, and security enhancement for customers

across the country.

Threat entering the network

Query threats

Block known threats

Push threat

intelligence

Report security events

Block the reverse connection of the C&C server

Make in-depth analysis of unknown malicious files

Remove malware

Visualize

Management platform

I

Note: For details on the threat analysis capability of TAC, see Machine Analysis.

Comparison Among Malware Families

Detection and Protection Methods

NSFOCUS Detection Services

NSFOCUS engineers provide onsite detection services.

NSFOCUS online cloud detection (https://poma.nsfocus.com/):

You can log in to NSFOCUS Cloud to apply for a trial of the

scanning service.

NSFOCUS Solutions for Removing Trojans

Short-term service: NSFOCUS engineers provide the onsite Trojan

backdoor removal service (manual services + NIPS + TAC) to

ensure that the risk is immediately eliminated from the network and

the impact of infection is minimized. After that an event analysis

report is provided to follow up and provide more details.

Mid-term service: NSFOCUS provides 3- to 6-month risk

monitoring service and preventive maintenance inspection (PMI)

services (NIPS + TAC + manual services) to eradicate risks and

prevent events from recurring.

Long-term service: NSFOCUS provides total solutions for the

finance industry (threat intelligence, attribution service, and

professional security services).

Conclusion

IcedID is a newly discovered cybercrime threat specialized in the financial

sector. Though the future trend of the malware remains uncertain, its abilities,

propagation method, and targets reveal that behind the threat there is a group

that is not totally unfamiliar to us.

Appendix

Indicators of Compromise

Key Value

Domain

Name

nejokexulag.example.com

nobleduty.com

tradequel.net

youaboard.com

ztekbowrev.com

Port 443

Protocol SSL/TLS

IP Address 185.127.26.227

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide

any commitment or promise on this advisory. NSFOCUS and the author will not bear

any liability for any direct and/or indirect consequences and losses caused by

transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and

interpret this advisory. Please include this statement paragraph when reproducing or

transferring this advisory. Do not modify this advisory, add/delete any information

to/from it, or use this advisory for commercial purposes without permission from

NSFOCUS.

About NSFOCUS

============

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise

application and network security provider, with operations in the Americas, Europe, the

Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of

combatting the increasingly complex cyber threat landscape through the construction

and implementation of multi-layered defense systems. The company's Intelligent

Hybrid Security strategy utilizes both cloud and on-premises security platforms, built

on a foundation of real-time global threat intelligence, to provide unified, multi-layer

protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

http://www.nsfocusglobal.com

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered

trademarks of NSFOCUS, Inc. All other names and trademarks are property of their

respective firms.

Follow us on twitter for the latest cyber security updates:

https://twitter.com/NSFOCUS_Intl?lang=en