Tuesday, January 26, 01:53
Home security IcedID banking trojan: New variant exploits COVID-19!

IcedID banking trojan: New variant exploits COVID-19!

Researchers Juniper Threat Labs have discovered a new variant of IcedID banking trojan used in attacks which exploit COVID-19. The new variant uses a procedure called sealing to infect potential victims, and offers features that allow it to be easily detected. Researchers have identified a spam campaign on COVID-19 targeting users on USA, with the new variant being able to monitor victims' online activity. The emails sent by campaign, contain attachments that as soon as a user opens them, they load the IcedID banking trojan.

IcedID banking trojan first appeared in 2017 and has features similar to other banking threats such as Gozi, Zeus and Dridex malware. IBM X-Force experts who first analyzed this trojan noticed that it does not borrow code from other banks. malware, but can be compared to them in terms of various features, including launching attacks from it browser and the theft of financial information from victims. The recent campaign by Juniper Threat Labs researchers aims to steal credentials and credit card data from Amazon.com, American Express, AT&T, Bank of America, Capital One, Chase, Discover, eBay, E-Trade, JP Morgan, Charles Schwab, T-Mobile, USAA, Verizon Wireless, Wells Fargo and other leading companies. This campaign exploits the COVID-19 pandemic using keywords, such as COVID-19 and FMLA, in sender names e-mail and attachment names. Unlike the previous variants, the latest version of trojan is injected into msiexec.exe to manipulate the browser's traffic and uses the seal to download its modules and configurations.

As soon as he opens a malicious document, he "throws" one binary first stage which in turn brings one loader second stage. The loader recovers another loader that downloads a third stage payload, which opens a built-in binary in its resource and executes it. Once opened, download the main module of IcedID banking trojan as a PNG file from the link https: // cucumberz99 [.] club / image? id = {01XXXXXXXXXXXXXXXXXXXXXXXX}. The researchers said that the decrypted one code is not a complete PE image, as it does not contain any headers. Most of its strings are also encrypted, which makes the analysis even more difficult.

Once the IcedID master module code is injected into the msiexec.exe process, it will start connecting the command-and-control server and waiting for commands. The main function of the malware kernel is to steal financially data using webinjects. IcedID monitors specific browser process names:

  • Firefox.exe
  • chrome.exe
  • Iexplore.exe

If the victim opens a browser window, IcedID malware creates a local proxy that listens to connects APIs to browsers and creates a certificate in the% TEMP% folder. Thus, all connections to the browser are made in msiexec.exe and complete control of the browser is achieved. Then the malware monitors the activity of the browser related to financial transactions and enters forms on the move, in an attempt to steal its data credit card of a potential victim. Juniper researchers have concluded that the IcedID banking trojan is a highly sophisticated malware developed by skilled attackers, who are constantly evolving their "arsenal".


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.



COVID-19 vaccines: Ways to protect supply chains

The development of vaccines for COVID-19 in such a short period of time has created many challenges and these are not only related to ...

How do insurance companies "enhance" ransomware attacks?

Ransomware attacks have increased significantly, with experts warning that their victims should not pay ransom to hackers ....

Russia: "US may be planning retaliation for SolarWinds hack"!

The Russian government warns the country's organizations about possible cyber attacks that the US may carry out, as "retaliation" for the hack ...

iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...