Friday, December 22, 2017

IcedID New Tricks: Where Banking Trojan meets Phishing

IcedID Expanding Target List

Although ransomware has been getting all the headlines in the news, banking trojans continue to be an issue.  New variants are constantly evolving and offering new risks. At UAB, we have been looking closely at banking trojans such as Ramnit, TrickBotIcedID and so on. Recently, Cliff Wilson, malware analyst at UAB malware lab, contributed in establishing that TrickBot is spamming. TrickBot was silent for the past week, so he was asked to take a dive in at IcedID banking trojan.

IcedID Banking Trojan

This analysis focuses on the malware sample with the hash:
3f4d7a171ab57b6c280ad4aed9ebf8f74e5228658cb4a576ada361a7d7ff5df4

This sample is identified by ESET as "Win32/Spy.Icedid.A", although many AV engines, including Ahn, Aegis, and Kaspersky, refer to it as being part of the Andromeda family.  As with most malware, most AV engines offer the meaningless identifier "Generic" such as AVG (Win32:Malware-Gen), McAfee (Generic  Trojan.i), Symantec (Trojan.Gen.2), TrendMicro (TROJ_GEN.R002C0WL517),

While testing this sample, we noticed the same behavior we have observed before: web injects and phishing pages on financial websites. During further analysis of the IcedID process and its web-injects, Cliff made an interesting observation.

The URL https[:]//financebankpay[.]com/ was found in the web-injects and contains dozens of ‘mock’ web pages and phishing pages to IcedID’s targeted sites. The pages we have observed in the past IcedID sample were present: pages for Discover, Citi, Chase, Amazon, Amex and few others. Several new pages were discovered, which we had not observed before.

FinanceBankPay.com was purchased from Chinese registrar EraNet and hosted on a Russian IP address.  The WHOIS information was bogus, borrowing the name of a man from Texas, but saying he lived in the city of "Kileen" with the state "DK", using a throw-away email from "pokemail.net" for his WHOIS email address.

When visiting a targeted URL, the webinject was loaded by the malware by pulling a page from FinanceBankPay.com from one of the following paths, and presenting it as if it were content from the true brand.

amazon
amex
cashpro  (a banking portal for Bank of America)
chase
citiBussiness
citiCard
discover
gmail
jpmorgan
ktt_key  (Key Bank) 
live        (Microsoft email services)
wellsfargo
wellsoffice


A few examples of the new emulated pages with injected code are as follows.

Gmail

https://www.financebankpay[dot]com/gmail/
Fig. 1: Login Page for Google Account
The google web-inject can be reached by trying to login through any Google service (Gmail, Hangouts, Youtube) when infected with IcedID

Outlook

https://www.financebankpay[dot]com/live/

Fig. 2: Login Page for Outlook

US based banks

https://www.financebankpay[dot]com/citiCards/

Fig 3. Stealing credit card details and PIN for a US bank
https://www.financebankpay[dot]com/wellsoffice/

Fig. 4: Business Portal Login for US Based Bank



Additional findings

This sample, along with other recently tested IcedID samples exhibited these similar behaviors.
  • created the directory \onaodecan in \AppData\Local
  • created “sonansoct.exe” within this directory
  • soon after created a .TMP file within \AppData\Local\Temp
  • opened this file as a process, then closed the main process
  • this file was updated throughout the testing period
  • other .TMP files were also created, but not executed (further analysis of these files is needed)
  • any visited URL could be found in the memory strings of the .TMP process after visiting
Researchers will continue to provide regular and interesting updates about the different types of Banking Trojans floating in the wild. We need a consistent and combined effort from all the financial institutions to deal with such a malaise for the banking sector and end users.