loader gif

BokBot aka IceID: A sneak peek into the activities and working methodology of the trojan

trojan,cyber,malware,attack,computer,security,breach,data,horse,malicious,animal,background,black,board,business,circuit,code,crime,damage,danger,hack,hacker,harm,illustration,infiltrate,infiltration,internet,metaphor,monitor,penetration,phishing,program,red,risk,software,spy,spyware,steal,symbol,system,tech,technology,threat,virus,vulnerability,vulnerable,web
  • The banking trojan was first spotted in the wild in September 2017.
  • The operators of IceID trojan employ web injection and redirection attacks to propagate the trojan.

Banking trojans are a pervasive threat. Over the years, the researchers have observed a lot of financial institutions being targeted by a wide range of prolific and notorious trojans. One of them that we are focusing here is the IceID trojan. Although a-year-old malware, the IceID trojan has become robust enough to give the organizations the creeps.

Emergence

The banking trojan was first spotted in the wild in September 2017, when its first test campaigns were launched. The malware was primarily designed to perform attacks against banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites in the US. But, eventually, it spread across the organizations located outside the US.

According to the X-Force research, the trojan does not share similarities with any other trojan. It is up to par with those of other banking trojans such as Zeus, Gozi and Dridex.

Modus operandi and capabilities

The operators of IceID trojan employ web injection and redirection attacks to propagate the trojan.

The malware authors create a replica of a banking site to trick the victims and download the malware. The fake websites are prepared in such a way that it looks seamless as the original one. IceID’s redirection scheme is implemented through its configuration file.

Once the malware listens for the target URL, it initiates its activities and executes a webinjection attack. The webinjection sends the victims to a fake bank site and fools them into submitting their credentials.

Once the victims submit their details, the attackers take control of the session and trick them into divulging transaction authorization elements. IceID’s communications take place over encrypted SSL. This enables the malware to avoid scans by intrusion detection systems.

Upcoming player

IceID is identified as an upcoming trojan in the financial cybercrime arena. Given its current capabilities which are at par with other trojans, experts believe that the attackers can use the malware to conduct more sophisticated attacks in the future.

loader gif