New 'IcedID' Banking Trojan Found Targeting Financial Institutions, Researchers Warn

Security researchers have discovered a new banking Trojan that is actively targeting U.S. financial institutions. Dubbed IcedID, the malware is believed to have emerged in the wild back in September 2017, when its first test campaigns were launched. According to IBM X-Force, IcedID was developed with “modular malicious code and modern capabilities” similar to those of the notorious Zeus Trojan. “At this time, the malware targets banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites in the U.S.,” explained IBM in a blog post. Researchers noted that two major U.K. banks were also found on the target list the malware fetches. IcedID does not appear to borrow code from other Trojans, but it implements similar features that allow it to perform advanced browser manipulation tactics, added IBM.

“Aside from the more common Trojan features, IcedID can propagate over a network. It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan. Its attack tactics include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot,” said IBM researchers.

In addition, IcedID possesses the ability to move to other endpoints, and researchers also observed it infecting terminal servers, reported X-Force. Cybercriminals behind IcedID are leveraging Emotet to distribute the malware – an indicator that its operators are likely not new to the cybercrime arena, said IBM. “X-Force research believes that a threat actor or a small cybergang has been operating Emotet as a distribution operation for banking Trojans and other malware codes this year,” read the blog post. IcedID’s capabilities are already as sophisticated as other banking Trojans, such as Zues, Gozi and Dridex. However, researchers warn it will likely see further updates in the coming weeks.