Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
IcedID Banking Trojan Sample
Technical Analysis and Solution
Date of Release: November 17, 2017
Overview
Recently, the IBM X-Force research team discovered a brand new banking
Trojan dubbed IcedID. This Trojan was first found spreading in the wild in
September 2017, mainly targeting systems used in the financial sector of US.
According to X-Force research, this Trojan contains a malicious code module that
provides most functions current banking Trojans such as the Zeus Trojan have.
Currently, this Trojan targets mainly banks, payment card providers,
mobile phone service providers, webmail, e-commerce websites, and the like in
the US, as well as two major banks in the UK.
Background
On November 14, 2017, researchers discovered that a banking Trojan
named IcedID spreading with the aid of the Emotet Trojan, mainly targeting
banks and other financial institutions within the territory of US. Specifically,
when an infected user accesses the website of a specific financial institution,
this Trojan steals the user's bank account password and other sensitive
information by redirecting him or her to a phishing web page.
Propagation and Infection
According to X-Force researchers, IcedID spreads with the help of the
Emotet Trojan rather than vulnerabilities. In other words, Emotet downloads
IcedID as a new payload to a victim host for infection. Emotet spreads largely
through phishing emails. Once successfully infecting a host, Emotet will
download more malware after it is installed silently.
In addition to common Trojan functions, IcedID is also able to spread itself
across networks. It monitors the victim's online activities by setting up a local
proxy. Its attack means includes website injections and sophisticated
redirections similar to the scheme used by Dridex and TrickBot.
Attack Process
Machine Analysis
NSFOCUS Threat Analysis Center (TAC) detected this malware and
provided the following analysis results:
High-Level Analysis
Execution Process
Start to runInject malicious
code to a
process
Execute payloadCommunicate
with the C&C
server via HTTPS
Upload
information of
the new bot
Add a key to the
registry to launch
upon system
startup
Reproduce itself
in the temporary
directory
Set up a proxy
to listen on port
49157
Monitor traffic and
launch injection
and redirection
attacks
Create a .tmp file in
the /Temp directory
to record the website
certificate
Scan for email
messages and
other sensitive
data
Sample Information
MD5 Value Sample Size
38921f28bb********b6e70039ee65f3 365 KB
6899d3b514********635d78357c087e 228 KB
d982c6de62********89da5cfeb04d6f 365 KB
de4ef2e2********29891b45c1e3fbfd 427 KB
Technical Analysis
This sample, once run, reproduces itself under the following registry path:
C:\Users\{UserName}\AppData\Local\cantimeam
Also, it creates a Run key in the registry to make sure that it can be
launched upon system startup.
This sample sets up a proxy which listens on port 49157 to monitor all
traffic of the host. Once a user attempts to access the target website, this
sample redirects him or her to a malicious website and then steals sensitive
information from this victim. For example, when a user submits an access
request to a bank website, this sample will bring him or her to a forged website
and steal the victim’s account information.
After successfully infecting this host, the malware posts information of the
new bot to the server. As shown in the following bot information, the parameter
b indicates a unique bot ID which is generated based on information of the
victim host.
/forum/viewtopic.php?a=0&b=29E5E0E72ADA89399B&d=0&e=42&f=2299390443&g
=1796157635&h=1710622345&r=2503557760&i=10495
All communication data between the sample and the C&C server are
secured with HTTPS. The sample uses a self-signed certificate as the HTTPS
root certificate and issues the victim a sub-certificate that is maliciously crafted
for the intended website.
The sample creates the 2ADA8939.tmp file under the system's temporary
directory C:\Users\{UserName}\AppData\Local\Temp, which make it possible to
obtain sensitive information undetected via a proxy port, even if the user
accesses an HTTPS website.
After comparing the sample code with the disclosed Pony sample code, we
find that the sensitive information stealing codes were reused in both samples.
The following is the sample's code for stealing Outlook information:
the sample’s code for stealing Windows Live Mail information:
the sample's code for stealing IncrediMail information:
the sample's code for stealing BatMail information:
the sample's code for stealing Becky information:
the sample's code for stealing PocoMail information:
IOC
C&C Domain Names
nejokexulag.example.com
nobleduty.com
tradequel.net
youaboard.com
ztekbowrev.com
IP Address Location
IP address: 185.127.26.227
Country code: RUS/RU
Country: Russian Federation
Latitude: 55.73860168457
Longitude: 37.606800079346
Suggestions
Secure Operations
1. Do not download and install software before ascertaining it’s safe.
2. Do not click on links/URLs included in suspicious emails.
3. Install antivirus software and keep it up to date.
Check and Countermeasures
1. Search the registry for the following key and delete it if found:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru
n\cantimeam
2. Delete the following directory including all executables under it:
C:\Users\{UserName}\AppData\Local\cantimeam
Ongoing Security Monitoring and Protection
The ongoing security monitoring and protection solution by NSFOCUS
provides a dynamic security protection system where NSFOCUS TAC detects
known and unknown threats which collaborates with on-premises NSFOCUS
Network Intrusion Prevention System (NIPS). In addition, NSFOCUS's
professional emergency response team, together with regional service teams
that offer onsite response and threat handling, provides rapid onsite
troubleshooting, problem handling, and security enhancement for customers
across the country.
Threat entering the network
Query threats
Block known threats
Push threat
intelligence
Report security events
Block the reverse connection of the C&C server
Make in-depth analysis of unknown malicious files
Remove malware
Visualize
Management platform
I
Note: For details on the threat analysis capability of TAC, see Machine Analysis.
Comparison Among Malware Families
Detection and Protection Methods
NSFOCUS Detection Services
NSFOCUS engineers provide onsite detection services.
NSFOCUS online cloud detection (https://poma.nsfocus.com/):
You can log in to NSFOCUS Cloud to apply for a trial of the
scanning service.
NSFOCUS Solutions for Removing Trojans
Short-term service: NSFOCUS engineers provide the onsite Trojan
backdoor removal service (manual services + NIPS + TAC) to
ensure that the risk is immediately eliminated from the network and
the impact of infection is minimized. After that an event analysis
report is provided to follow up and provide more details.
Mid-term service: NSFOCUS provides 3- to 6-month risk
monitoring service and preventive maintenance inspection (PMI)
services (NIPS + TAC + manual services) to eradicate risks and
prevent events from recurring.
Long-term service: NSFOCUS provides total solutions for the
finance industry (threat intelligence, attribution service, and
professional security services).
Conclusion
IcedID is a newly discovered cybercrime threat specialized in the financial
sector. Though the future trend of the malware remains uncertain, its abilities,
propagation method, and targets reveal that behind the threat there is a group
that is not totally unfamiliar to us.
Appendix
Indicators of Compromise
Key Value
Domain
Name
nejokexulag.example.com
nobleduty.com
tradequel.net
youaboard.com
ztekbowrev.com
Port 443
Protocol SSL/TLS
IP Address 185.127.26.227
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide
any commitment or promise on this advisory. NSFOCUS and the author will not bear
any liability for any direct and/or indirect consequences and losses caused by
transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and
interpret this advisory. Please include this statement paragraph when reproducing or
transferring this advisory. Do not modify this advisory, add/delete any information
to/from it, or use this advisory for commercial purposes without permission from
NSFOCUS.
About NSFOCUS
============
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise
application and network security provider, with operations in the Americas, Europe, the
Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of
combatting the increasingly complex cyber threat landscape through the construction
and implementation of multi-layered defense systems. The company's Intelligent
Hybrid Security strategy utilizes both cloud and on-premises security platforms, built
on a foundation of real-time global threat intelligence, to provide unified, multi-layer
protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
http://www.nsfocusglobal.com
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered
trademarks of NSFOCUS, Inc. All other names and trademarks are property of their
respective firms.
Follow us on twitter for the latest cyber security updates:
https://twitter.com/NSFOCUS_Intl?lang=en