Research Saturday 2.10.18
Ep 22 | 2.10.18

IcedID banking trojan.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Limor Kessem: [00:01:02] We discovered the campaigns in 2017 in its final form.

Dave Bittner: [00:01:07] That's Limor Kessem, an Executive Security Advisor with IBM Security. She returns to Research Saturday to describe IcedID, a banking Trojan that she and the IBM X-Force Research Team have been tracking.

Limor Kessem: [00:01:20] We actually knew there was module development underway as early as June 2017 and some stuff was added in July and, you know, a lot of times we kind of wait to see, okay, what is this thing? What is it going to be? And, are we going to see it in activity? So we just follow it and check when it goes into live mode.

Limor Kessem: [00:01:39] So I guess we could start with the overall picture of financial cybercrime. Just a few words about, you know, the criminals nowadays manage to carry out very high-sum fraudulent transactions using these banking Trojans like IcedID and other similar codes. And losses from these types of financial cybercrime are estimated at hundreds of billions of dollars a year. They affect the financial industry, but they also target any other service that carries that kind of value, like monetary value, so online payments or anything like loyalty cards, and cryptocurrency has been also one of their favorites lately.

Limor Kessem: [00:02:14] If we look at the overall picture of these types of Trojans, if I look at the decade of specializing in this, and I can tell you that, while it has been an ongoing escalation over the years, we have been seeing a shift, started 2014, where these Trojans have become very much the business of organized crime. So that means when we find new malware like this, it's most often part of the business-like organization and it's part of the bigger picture for cybercrime.

Limor Kessem: [00:02:44] So aside from the code--that is very modular and sophisticated, we're going to talk about it in a minute--it's part of an overall operation, which includes different internal teams that do operational security. They do online theft and social engineering. They have money movers. They have collaborators, both in other crime groups and people they bribe, insiders in banks sometimes, who launder and mobilize the stolen funds for them.

Limor Kessem: [00:03:11] So, if you're thinking, okay, what kind of amounts do these people manage to move per transaction? They can move millions of dollars at a time, tens of millions sometimes. It varies by the group, but this is definitely not people who are in it for small change and, you know, smaller transactions. And this arena has a few long-standing players, with some moving parts. I call them moving parts, which are groups that come and go.

Limor Kessem: [00:03:38] And in today's security and law enforcement landscape, it cannot be taken for granted that a group like that will actually survive. Seeing new groups in the cybercrime arena is always considered an event that attracts a lot of attention, because everybody knows it will inevitably affect the financial sector in the target countries, and it doesn't happen a lot. We might see maybe one or two actual new codes a year. Sometimes we don't see any, but this is where IcedID comes in.

Limor Kessem: [00:04:06] So, for 2017, it was one of two codes. The other one that was discovered was already an existing code base. And, like you said, we discovered it around September, seeing some stuff happening a little before that. And the first thing we noted upon analyzing it was its delivery method. The delivery method came by they Emotet Trojan, which was a significant observation for us.

Dave Bittner: [00:04:33] Take us through that too. Can you describe to us how Emotet works?

Limor Kessem: [00:04:37] Yes, so Emotet, it actually used to be a banking trojan. It shares the exact same code base. It's called the Bugat code base that Dridex has, and Dridex is one of the most developed banking Trojans nowadays. This malware somewhere 2014, 2015, stopped stealing money itself, and switched over to helping others do it. So, we believe there's a small group operating it and serving cyber criminals mostly in Eastern Europe. And what they do is hold the botnet, through which they deliver other malware for their customers.

Limor Kessem: [00:05:13] And their distribution is very targeted. They focus on businesses, and they use Emotet with a network propagation module, an email theft module, they get a lot of information, they do data exfiltration, they get to as many users as possible once they get on an enterprise endpoint. So this was a choice of IcedID and kind of starting to distribute the malware, which was telling in terms of target types, so it's going after businesses particularly in the U.S., and Emotet works a lot in the U.S., that's their turf.

Limor Kessem: [00:05:46] And we also learned that these are the kind of collaborators they have. So old timers from the cybercrime arena, there's no amateurs here. We know that, you know, this kind of connection already know what's going to come next. For us, this kind of builds the picture for us.

Dave Bittner: [00:06:01] So Emotet is the delivery mechanism, and it's correct that the initial infection usually comes via spam?

Limor Kessem: [00:06:11] Yeah. So, you know, a lot of Trojans nowadays, if not all of them pretty much, have a multistage infection routine. So they're not going to come straight forward and be downloaded from somewhere. There's going to be many stages. Emotet itself is going to be, you know, delivered through spam. There's going to be probably a poisoned Word document with malicious macros, there's going to be a PowerShell script that's going to run, eventually it's going to be a loader, then there's going to be the Emotet Trojan.

Limor Kessem: [00:06:41] And Emotet, once it grabs hold of the endpoint, it becomes like sort of a backdoor, it can then usher in other malware. So it could be IcedID, but it also works with QakBot. It also works with Zeus Panda in very recent campaigns, so we're seeing it kind of switching up the drops of different malware. And IcedID itself just recently moved on to the Hancitor downloader, which is another group that distributes malware through their own loader or malware type thing.

Dave Bittner: [00:07:14] So there's sort of a modularity that's going on here with some of these things, where people can swap in and out different components depending on I guess what's working and what they're trying to accomplish?

Limor Kessem: [00:07:25] Yeah, and also banking Trojans will bring in a certain module based on information they got from the endpoint. You know, they can say, okay, well if this endpoint is an enterprise endpoint then I might want to launch the email-theft module because I can do XYZ.

Limor Kessem: [00:07:42] We saw that a lot with a previous Trojan called Shifu, that actually had modules for stealing from point-of-sales machine. So it would fetch that module only when it was on the point-of-sale machine which was that kind of thing. Or if it, you know, detected other types of valuable information it could get, it would launch different modules accordingly, or not launch them. Sometimes they choose not to do that.

Dave Bittner: [00:08:05] So Emotet serves up IcedID on your machine. Take us through what happens next.

Limor Kessem: [00:08:12] From that time that it tries to fetch it--the malware comes with a crypter. So a crypter just keeps it kind of boxed in, so it's like a gift that you don't know what's in it. Unfortunately not a good one. And we noticed that IcedID had its own crypter. So nothing that's being used already in the wild, not a commercial crypter that can be bought from someone, which means it was specifically designed for IcedID. Which is something that would happen for privately owned malware. So that was another telling sign of, hey, this is not just a run-of-the-mill reuse of code.

Limor Kessem: [00:08:47] And then we noticed, you know, the code grade has modularity, same capabilities we see for other banking Trojans. So it's like that Swiss knife like we're seeing with the different modules here. What we saw is that they could do web injections, and they can do redirection attacks, and it can move users to a phishing page, initiate a VNC session. So it could take remote control of the endpoint, and we're seeing it's basically setting up shop on the endpoint. And in setting up shop, it wants to know what the user is doing, where they're browsing to, in order to define if they user's going to a bank that interests them or to another target that interests them.

Limor Kessem: [00:09:27] In order to monitor the user's browsing, the malware sets up a local proxy on the machine. It sends traffic first to localhost, the IP's, and then to a private TCP port 49157, just I guess randomly chose one of the private TCP ports, and it tunnels all the traffic through there.

Limor Kessem: [00:09:49] Now there's different ways to do this. This is one way, you know, just to kind of eavesdrop on the traffic that goes through the endpoint through the user. And that way, the Trojan can actually tell, okay, they're going to "Bank 123" and I'm going to go into action now. And this concept is already being used by another Trojan, called the GootKit Trojan, which is another gang-owned malware. But not many Trojans use the proxy thing. This is pretty much I guess the two that are, I'll call them mainstream, that we see now that use it.

Limor Kessem: [00:10:23] But the proxy is not an end-all in this case, because IcedID also needs to do stuff when it wants to manipulate what the user is seeing. So it does hook the browser, the Internet browser, to control what's being displayed, or if it has to do a redirection, and that kind of stuff.

Dave Bittner: [00:10:40] It was interesting to me that, in the process of doing this, the user doesn't see anything unusual up in their browser bar.

Limor Kessem: [00:10:49] Correct. There is a special redirection that's a malware-enabled redirection that takes place here. Usually a redirection, you know, if you go to a website you could be redirected to another website. And it happens legitimately sometimes, you know, an ad could redirect you somewhere or whatever. It's something normal, but you will see the changes, you'll see that you moved to another page, you will see that the URL changed, or whatever different changes took place.

Limor Kessem: [00:11:14] In this case, the victim is actually hijacked to a completely different website that's hosted by the criminals on their infrastructure. They don't see any changes. They believe they're still on their original bank's web page. They'll be seeing the same URL, they'll be seeing the same certificate. Everything is going to look exactly the same, except they're on a replica.

Limor Kessem: [00:11:37] And at that point they might be asked, you know, it might look like a phishing page where they're asked to enter all kinds of different details or their payment card information. They're going to be asked for their usual login information, maybe an extra field or two. The Trojan will steal that information immediately, in real time. And the criminal might decide to use it at that point or use it later, depending on how much they need the user to be engaged at that point, the victim to be engaged online.

Dave Bittner: [00:12:07] So, in terms of communications with the command-and-control servers, what are you seeing there?

Limor Kessem: [00:12:13] So, the communication with the command-and-control servers, of course something that happens, you know, for every malware, they need to communicate the information and exfiltrate data all the time. This malware communicates over encrypted SSL, basically wants to keep the data out of sight from automated scans by the intrusion detection systems. It's a way for it just to be a tad more secure because IcedID doesn't have a lot of anti-research or anti-security modules or features yet. It could probably build them later on, like other malware does, gradually over time. For now, it doesn't have anything major. So this could be one of the only little protections it has right now.

Limor Kessem: [00:12:57] And it also uses this type of communication to reach out to a remote injection panel, which is a way for the malware operator, during the transaction or during the session--the fake session--that they have, they might want to deliver specific pages to the user seamlessly, so they fetch it from what's called a remote injection panel and orchestrate the flow of events from there. So they're using that as well, to kind of keep that communication under wraps.

Dave Bittner: [00:13:30] So, just so I understand here, the possibility is that, well, if I'm the victim of this, and I'm logged into what I think is my bank, but I've actually been redirected to one of these imitation sites. Is someone monitoring that in real-time and being able to, you know, put up custom things they want to get from me in real-time, or is it automated, or both?

Limor Kessem: [00:13:54] They could do both, yeah. They could do both. They can have some custom things, like from the transaction panel they can-- depending on the internals of the transaction panel--they may be able to literally communicate with the victim and kind of push text into the injections that they're showing on-screen. And they have some stuff that is just premade, you know, if they're going to ask for payment card number with all the details, they could just throw it on the screen and they had it premade, just some HTML code or something. And it's rather simple.

Dave Bittner: [00:14:25] What's your thoughts on this in terms of attribution? Who's behind this?

Limor Kessem: [00:14:30] Well, we believe this malware is made in Eastern Europe. We see it also from the, you know, the different connections it has to different malware. Moving to Emotet, then Hancitor, we see that the targets are all in the U.S., mostly U.S., a little bit in the U.K., targeting businesses. I think, to me, it's almost similar to the QakBot malware which is a lot older, but the whole make of it and the way it's being handled or operated so far is very QakBot like.

Dave Bittner: [00:15:06] In terms of protecting themselves against this, what are your recommendations for people?

Limor Kessem: [00:15:10] So people should, in general, these types of malware typically come from an email. You know, a lot of times it would be something that's an attachment, and the whole "enable macros" routine. A lot of times this specific malware is, you know, for businesses. It's going to come to a business email, or to a business user on another email address hoping that they're going to open it on their corporate machine.

Limor Kessem: [00:15:37] So, really being careful with emails, verifying where they're coming from, checking the sender and, you know, if it's apparently someone they know, maybe even check with that person if they're not expecting anything like that from them, any kind of file with information. Because, I mean, these people can't really guess what the person's going to be expecting. So being extra careful.

Limor Kessem: [00:15:56] There are some cases where the malware might be delivered by an exploit kit. So it's going to be a drive-by download on some other website. So just not browsing to kind of untrusted websites and things like that would be good. Basic hygiene, basic internet browsing and internet-use hygiene is one of the things that can really go a long way with these types of Trojans.

Limor Kessem: [00:16:20] And then once the person's already, let's say they're infected, they have no idea, they start a banking session. The banking session is not normal, something about it really changed. I mean, their bank or let's say their e-commerce account, never asked them to enter their payment card information on a screen where they never initiated any kind of transaction or purchase or whatever, or they already have information saved somewhere there. If it looks suspicious, close the browser window, and check with your provider. That's the best thing they can do in order to detect it themselves.

Dave Bittner: [00:16:55] So is this a situation where your typical antivirus installation would not detect this?

Limor Kessem: [00:17:01] Banking Trojan's don't typically get detected by the antivirus. A lot of times antiviruses will detect the loader. The, you know, the first step, maybe the Emotet part, maybe the Hancitor part. They will probably see it a few days too late, because the malware is always doing small mutations in order to flip around the signature, the file signature, so for antivirus it's a little harder to actually identify them. Every time I test and I want to see, you know, how many antiviruses will detect a certain malware, not too many of them, typically they'll see it as something generic. They're not really aware of how to stop it completely for banking Trojans.

Dave Bittner: [00:17:44] In terms of persistence, so this survives restarts, things like that?

Limor Kessem: [00:17:50] Yeah, definitely. Most banking Trojans, one of the first things they do during their deployment is to set up a persistence. There are common ways to do it, which is just establishing a run key and putting it into registry and making sure that every reboot, this malware will get, you know, rerun. Which is what IcedID does; it doesn't do anything very special, but it works. And it's definitely one of those, you know, basics for Trojans because they don't want to be eliminated if somebody reboots the computer.

Limor Kessem: [00:18:20] And for IcedID specifically, it actually only completes its deployment after a reboot. So it definitely has to come back up, and it might be doing that to require a reboot just to kind of evade some of the sandboxes that don't emulate rebooting processes.

Dave Bittner: [00:18:38] So there are some interesting things with this in terms of network propagation. Can you take us through that element?

Limor Kessem: [00:18:44] Yeah, so IcedID has its own network propagation module. So first, if it's dropped by Emotet that already has a network propagation, IcedID has, you know, its own module that it can launch. And specifically, this one queries the Lightweight Directory Access Protocol, the LDAP, for users on the network. And then it will attempt to brute-force weak passwords with a dictionary attack, and if it succeeds it will move to the next user and infect them as well, and maybe try to copy itself to different places in the network.

Dave Bittner: [00:19:14] So in terms of someone trying to defend their network, would any of this network traffic look unusual?

Limor Kessem: [00:19:20] It might, it might if they're seeing that there is brute-force on accounts, and they could see in their controls that something is not right. Because usually users are not going to make all that many attempts on their passwords, so it could get detected.

Dave Bittner: [00:19:38] Our thanks to Limor Kessem, from IBM's X-Force research team, for joining us. You can read the full research report on the IcedID banking Trojan on IBM's X-Force Research website. We got an update from Limor since we recorded this segment: The IcedID Trojan has gone quiet.

Dave Bittner: [00:19:56] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.