CyberWire Daily - IcedID banking trojan. [Research Saturday]
Episode Date: February 10, 2018IcedID is a banking trojan recently discovered and tracked by IBM's X-Force research team, targeting banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in... the U.S. Limor Kessem is an executive security advisor with IBM Security. She returns to Research Saturday to describe what she and her team found. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
We discovered the campaigns in 2017 in its final form.
That's Lamor Kessum, an executive security advisor with IBM Security.
She returns to Research Saturday to describe
Iced ID, a banking trojan that she and the IBM X-Force research team have been tracking.
We actually knew there was module development underway as early as June 2017, and some stuff
was added in July. And, you know, a lot of times we kind of wait to see, okay, what is this thing?
What is it going to be? And are we going to see it in activity? So we just follow it and check when it goes into live mode.
So I guess we could start with the overall picture of financial cybercrime.
Just a few words about, you know,
the criminals nowadays manage to carry out very high sum fraudulent transactions
using these banking trojans like Iced Idea and other similar codes.
And losses from these types of financial
cybercrime is are estimated at hundreds of billions of dollars a year they affect the
financial industry but they also target any other service that carries that kind of value like
monetary value so online payments uh anything like loyalty cards and cryptocurrency has been also one of their favorites lately.
If we look at the overall picture of these types of Trojans, if I look at the decade of specializing in this domain, I can tell you that while it has been an ongoing escalation over the years,
we have been seeing a shift started 2014 where these Trojans have become very much
the business of organized crime.
So that means that when we find new malware like this, it's most often part of a business-like
organization, and it's part of the bigger picture for cybercrime. So aside from the code that is
very modular and sophisticated, we're going to talk about it in a minute, it's part of an overall
operation, which includes different internal teams that do operational security.
They do online theft and social engineering.
They have money movers.
They have collaborators, both in other crime groups and people.
They bribe insiders in banks sometimes who launder and mobilize the stolen funds for them.
So if you're thinking, OK, what kind of amounts do these people manage to
move per transaction, they can move millions of dollars at a time, tens of millions. Sometimes
it's, it's very, it varies by the group, but this is definitely not people who are in it for
small change and, you know, smaller transactions. And this arena has few longstanding players with some moving parts.
I call them moving parts, which are groups that come and go.
And in today's security and law enforcement landscape, it cannot be taken for granted that a group like that will actually survive.
Seeing new groups in the cybercrime arena is always considered an event that attracts a lot of attention because everybody knows it will inevitably affect the
financial sector in the target countries. And it doesn't happen a lot. We might see maybe one or
two actual new codes a year. Sometimes we don't see any. But this is where iStudy comes in. So for
2017, it was one of two codes. The other one that was discovered was already an existing code base.
And like you said, we discovered it around September, seen some stuff happening a little
before that. And the first thing we noted upon analyzing it was the delivery method.
The delivery method came by the Imhotep Trojan, which was a significant observation for us.
Take us through that. Can you describe to us how Emotet works?
Yeah, so Emotet actually used to be a banking Trojan. It shares the exact same code base.
It's called the Bugat code base that Drydex has. And Drydex is one of the most developed
banking Trojans nowadays. This malware somewhere 2014, 15 stopped stealing money itself
and switched over to helping others do it.
So we believe there's a small group operating it
and serving cyber criminals mostly in Eastern Europe.
And what they do is hold a botnet
through which they deliver other malware for their customers.
And their distribution is very targeted.
They focus on businesses, and they use Emotet with a network propagation module, an email
theft module.
They get a lot of information.
They do data exfiltration.
They get to as many users as possible once they get on an enterprise endpoint.
So this was the choice of Iced ID and kind of starting to distribute the malware, which was telling in terms of target types.
So, it's going after businesses, particularly in the U.S.
And Emotet works a lot in the U.S.
That's their turf.
And we also learned that these are the kind of collaborators they have.
So, old timers from the cybercrime arena.
There's no amateurs here.
We know that, you know, this kind
of connection already notes what's going to come next for us. This kind of builds the picture for
us. So Imhotep is the delivery mechanism and it's correct that the initial infection usually comes
via spam? Yeah. So, you know, a lot of Trojans nowadays, if not all of them pretty much,
have a multi-stage infection routine. So they're not going to come straightforward and
be downloaded from somewhere. There's going to be many stages. Emotet itself is going to be,
you know, delivered through spam. There's going to be probably a poisoned word document with
malicious macros.
There's going to be a PowerShell script that's going to run.
Eventually, it's going to be a loader.
Then it's going to be the Emotet Trojan.
And Emotet, once it grabs hold of the endpoint,
it becomes like sort of a backdoor.
It can then usher in other malware.
So it could be Iced ID, but it also works with CACbot.
It also works with Zeus Panda in very recent campaigns.
So we're seeing it kind of switching up the drops of different malware.
And Iced ID itself just recently moved on to the HandSitter downloader,
which is another group that distributes malware through their own loader or malware type thing.
So there's a sort of a modularity that's going on here with some of these things where people can swap in and out different components depending on, I guess, what's working and what they're
trying to accomplish. Yeah. And also banking Trojans will bring in a certain module
based on information they got from the endpoint. They could say, okay, well, if this endpoint is an enterprise endpoint,
then I might want to launch the email theft module because I can do X, Y, Z.
We saw that a lot with a previous Trojan called Shifu
that actually had modules for stealing from point-of-sales machines.
So it will fetch that module only when it was on a point-of-sale machine,
which was that
kind of thing. Or if it, you know, detected other types of valuable information it could get, it
would launch different modules accordingly or not launch them. Sometimes they choose not to do that.
So Emotet serves up Iced ID on your machine. Take us through what happens next.
From that time that it tries to fetch it, the malware comes with a cryptor.
So a cryptor just keeps it kind of boxed in.
So it's like a gift that you don't know what's in it.
Unfortunately, not a good one.
And we noticed that Iced ID had its own cryptor.
So nothing that's being used already in the wild, a commercial crypto that could be bought from someone which means it was specifically designed for iced id which is something that would happen
for privately owned malware so that was another telling sign of hey this is not just a run of the
mill or a reuse of code and then we noticed you know the code grade has modularity same capabilities
we see for other banking trojans.
So it's like that Swiss knife, like we're saying with the different modules here.
What we saw is that they could do web injections and it can do redirection attacks.
It can move users to a phishing page, initiate a VNC session. So it could take remote control of the endpoint.
And we're seeing it basically setting up shop on the endpoint.
And in setting up shop, it wants to know what the user is doing, where they're browsing to,
in order to define if the user is going to a bank that interests them or to another target
that interests them. In order to monitor the user's browsing, the malware sets up a local proxy on the machine. It sends the traffic first to local host,
the IP is 127001. And then to a private TCP port 49157, just, I guess, randomly chose one of the
private TCP ports. And it tunnels all the traffic through there. Now, there's different ways to do
this. This is one way, you know, just to kind of eavesdrop on the traffic that goes through the endpoint through the user.
And that way the Trojan can actually tell, okay, they're going to bank one, two, three, and I'm going to go into action now.
And this concept is already being used by another Trojan called the GoodKit Trojan, which is another gang-owned malware.
But not many Trojans use the
proxy thing this is pretty much i guess the two that are i'll call them uh mainstream that we see
now that use it but the proxy is not an old in this case because i study also needs to do stuff
when it wants to manipulate what the user is seeing. So it does hook the browser, the internet browser,
to control what's being displayed or if it has to do a redirection
and that kind of stuff.
It was interesting to me that in the process of doing this,
the user doesn't see anything unusual up in their browser bar.
Correct.
There is a special redirection that's a malware-enabled redirection
that takes place here.
Usually a redirection, you know, if you go to a website, you could be redirected to another website.
And it happens legitimately sometimes, you know, an ad could redirect you somewhere or whatever.
It's something normal, but you will see the changes.
You'll see that you move to another page.
You will see that the URL changed or whatever different changes took place.
see that the URL changed or whatever different changes took place. In this case, the victim is actually hijacked to a completely different website that's hosted by the criminals on their
infrastructure. They don't see any changes. They believe they're still on their original bank's
webpage. They'll be seeing the same URL. they'll be seeing the same certificate, everything is going to look exactly the same, except they're on a replica. And at that point, they might be asked,
you know, it might look like a phishing page, where they're asked to enter all kinds of different
details or their payment card information, they're going to be asked for their usual login information,
maybe an extra field or two, the Trojan will steal that information immediately in real time.
And the criminal might decide to use it at that point or use it later,
depending on how much they need the user to be engaged at that point,
the victim to be engaged online.
So in terms of communications with the command and control servers,
what are you seeing there?
So the communication with the command and control servers? What are you seeing there? So the communication with the command and control servers, of course, something that happens,
you know, for every malware, they need to communicate the information and exfiltrate
data all the time. This malware communicates over an encrypted SSL, basically wants to keep
the data out of sight from automated scans by the intrusion detection systems.
It's a way for it just to be a tad more secure because ICD doesn't have a lot of anti-research
or anti-security modules or features yet. It could probably build them later on like other
malware does gradually over time. For now, it doesn't have anything major. So this could be one of the only
little protections it has right now. And it also uses this type of communication to reach out to
a remote injection panel, which is a way for the malware operator during the transaction or during
the session, the fake session that they have, they might want to deliver specific pages to the user seamlessly.
So they fetch it from what's called a remote injection panel and orchestrate the flow of events from there.
So they're using that as well to kind of keep that communication under wraps.
So just so I understand here, the possibility is that, well, if I'm the victim of this and I'm
logged into what I think is my bank, but I'm actually, I've actually been redirected to one
of these imitation sites, would someone monitoring that in real time and being able to, you know,
put up custom things they want to get from me in real time or is it is it automated or both they could
do both yeah they could do both they can have some custom things like from the transaction panel they
can depending on the internals of the transaction panel they may be able to literally communicate
with the victim and kind of push text into the injections that they're showing on screen and
they have some stuff that's just pre-made you, if they're going to ask for a payment card number with all the details,
they could just throw it on the screen and they had it pre-made, just some HTML code or something.
And it's rather simple. What's your thoughts on this in terms of attribution? Who's behind this?
Oh, we believe this malware is made in Eastern Europe. We see it also from the different connections it has to different malware.
Moving to Emotet and Hanseter, we see that the targets are all in the U.S., mostly U.S., a little bit in the U.K.
Targeting businesses, I think to me it's almost similar to the CACBOT malware, which is a lot
older, but the whole make of it and the way it's being handled or operated so far is very CACBOT
like. In terms of protecting themselves against this, what are your recommendations for people?
So people should, in general, these types of malware typically will come from an
email. You know, a lot of times it would be something that's an attachment and the whole
enable macros routine. A lot of times this specific malware is, you know, for businesses,
it's going to come to a business email or to a business user on another email address,
hoping that they're going to open it on their
corporate machine. So really being careful with emails, verifying where they're coming from,
checking the sender. And, you know, if it's apparently someone they know, maybe even check
with that person if they're not expecting anything like that from them, any kind of
file with information. I mean, these people can't really guess what the person's going to be
expecting. So being extra careful. There are some cases where the malware might be delivered by an
exploit kit. So it's going to be a drive-by download on some other websites. So just
not browsing to kind of untrusted websites and things like that would be good. Basic hygiene,
basic internet browsing and internet use hygiene is one of the things
that can really go a long way with these types of Trojans.
And then once the person's already,
let's say they're infected, they have no idea,
they start a banking session.
The banking session is not normal.
Something about it really changed.
I mean, their bank or let's say their e-commerce account
never asked them to enter
their payment card information on a screen where they never initiated any kind of transaction or
purchase or whatever, or they already have information saved somewhere there. It looks
suspicious. Close the browser window and check with your provider. That's the best thing they
can do in order to detect it themselves.
So is this a situation where your typical antivirus installation would not detect this?
Mangan Trojans don't typically get detected by the antivirus. A lot of times antiviruses will
detect the loader, the first step, maybe the Emotet part, maybe the Hanseter part, they will probably see
it a few days too late because the malware is always doing small mutations in order to flip
around the signature, the file signature. So for antivirus, it's a little harder to actually
identify them. Every time I test and I want to see, you know, how many antiviruses will detect
a certain malware.
Not too many of them.
Typically, they'll see it as something generic.
They're not really aware of how to stop it completely for banking Trojans.
In terms of persistence, so this survives, restarts, things like that?
Yeah, definitely.
Most banking Trojans, one of the first things they do during
the deployment is to set up a persistence. There are common ways to do it, which is just establishing
a run key and putting it in the registry and making sure that every reboot this malware will
get rerun, which is what Iced ID does. It doesn't do anything very special, but it works. And it's definitely one of those
basics for Trojans because they don't want to be eliminated if somebody reboots the computer.
And for ISID specifically, it actually only completes its deployment after a reboot. So it
definitely has to come back up. And it might be doing that to require a reboot just to kind of evade some of the sandboxes that don't emulate
rebooting processes. So there's some interesting things with this in terms of network propagation.
Can you take us through that element? Yeah, so ICID has its own network propagation module. So
first, if it's dropped by Emotet that already has a network propagation, ICIDy has its own module that it can launch. And specifically,
this one queries the lightweight directory access protocol, the LDAP, for users on the network.
And then it will attempt to brute force weak password with the dictionary attack. And if
it succeeds, it'll move to the next user and infect them as well. And maybe try to copy
itself to different places in the network. So in terms of someone trying to defend their network,
would any of this network traffic look unusual?
It might.
It might if they're seeing that there is brute force on accounts
and they could see in their controls that something is not right
because usually users are not going to make all that many attempts on their passwords,
so it could get detected.
Our thanks to Lamor Kessum from IBM's X-Force research team for joining us.
You can read the full research report on the ICE ID banking trojan on IBM's X-Force research website.
We got an update from Lamor since we recorded this segment. The ICE-ID Trojan has gone quiet. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
The Cyber Wire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.