IcedID Trojan Using Steganography, COVID-19 and FMLA Theme To Launch Attacks

With constant updates to their arsenal, operators of the IcedID malware are working to make it a more complex and dangerous malware. Recently, a new boosted version of the IcedID (Bokbot) Trojan was found with new anti-detection capabilities.

Latest discoveries

This month, Juniper Threat Labs uncovered an email spam campaign circulating in the United States spreading a new version of the IcedID trojan. It contains updated C2 communication, string encryption, and the approach of using blended communication with normal traffic to hide.
  • The latest version of IcedID exhibits several layers of sophistication including the use of MSI (msiexec), full steganography, and HTTPS. The attackers have been using the COVID-19 pandemic and the Family and Medical Leave Act (FMLA) as their theme.
  • Popular for the man-in-the-browser attacks, IcedID targets the Firefox, Chrome, and Internet Explorer browsers to monitor browser activity related to financial transactions and inject forms on the fly to try to steal credit card details.
  • In the latest campaign, it harvests credentials and payment-card data from customers of Amazon.com, Bank of America, Capital One, Dell, eBay, Frost Bank, Halifax UK, J.P. Morgan, Lloyds Bank, M&T Bank, PNC, RBC, SunTrust Bank, T-Mobile, Union Bank, Verizon Wireless, and others.

Past attacks

IcedID was first identified in September 2017 by IBM X-Force researchers. In past years, IcedID has continued to evolve significantly. So far, the operators have added a wide range of features like proxy servers, web injects, large RAT arsenals, VNC modules, etc.
  • In May 2020, IcedID Trojan added new tricks, including using new steganography based stage-downloader to hide configuration data in the file system and network traffic and it targeted the U.S. bank, AT&T, and T-Mobile customers.
  • In the same month, the infection characteristics of IcedID switched to the use of Microsoft Word documents with malicious macros to push the malware.
  • In April 2020, a new major version of the malware IcedID version 12 (0xC in hexadecimal) emerged with some substantial changes.

Security tips

Users are recommended to track their financial assets daily and report unauthorized operations to the bank directly. Use credible security tools, anti-virus/anti-spyware suite to detect and eliminate malware immediately.