A new banking Trojan with advanced capabilities has been identified in the wild. Initial reports state that IcedID is delivered using the botnet infrastructure of the popular Trojan, Emotet. The Trojan is distributed using convincingly crafted phishing emails that contain malicious word documents.

This threat appears to be targeting the banking industry, mobile service providers, payroll portals, and ecommerce sites. Affected victims reside in Canada, the United States and the U.K.

 

What we’re doing about it

  • Specific detection rules for IcedID and Emotet have been deployed to esNETWORKTM sensors.
  • The eSentire SOC is monitoring this threat and will continue to add malicious IPs to  the eSentire global blacklist (Asset Manager Protect, via esNETWORK) as they’re detected.

 

What you should do about it

  • Ensure users are well informed about current threats through awareness programs and training.
  • Disable all Macros. If this is not possible, only allow macros from controlled/trusted sources. [1]
  • If running Windows 10 version 1709 (or later), attack surface reduction rules can be implemented within Windows Defender Exploit Guard to further defend against this threat. [2] [3]

 

Additional information

  • The eSentire SOC has observed numerous cases of Emotet malware targeting customers in the past 72 hours. In these cases, the malware was delivered via email in an attached Microsoft Word document containing malicious VBA macros.
  • The IcedID Trojan has advanced features including browser redirection and web injection for the theft of user credentials. The early complexity and functionality leads analysts to believe that the Trojan will see future updates. IcedID is capable of spreading to multiple endpoints through terminal servers. This suggests that large organizations, where widespread infection is possible, are the primary target for IcedID.
  • For additional information and technical details, see the link below [4]. 

 

Additional Sources

[1]https://www.asd.gov.au/publications/protect/Microsoft_Office_Macro_Security.pdf

[2]https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

[3]https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

[4] https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

 

If you have any questions please reach out to the eSentire Security Operations Center.

eSentire Media Contacts

Mandy Bachus | eSentire | [email protected] | +1 519.651.2200 x5226 | @MandyBachus

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?
Talk to us today.
Let's Talk