eSentire White Logo

Security advisories | Feb 26, 2019

IcedID Banking Trojan

A new banking Trojan with advanced capabilities has been identified in the wild. Initial reports state that IcedID is delivered using the botnet infrastructure of the popular Trojan, Emotet. The Trojan is distributed using convincingly crafted phishing emails that contain malicious word documents.

This threat appears to be targeting the banking industry, mobile service providers, payroll portals, and e-commerce sites. Affected victims reside in Canada, the United States, and the U.K.

What we’re doing about it

  • Specific detection rules for IcedID and Emotet have been deployed to esNETWORKTM sensors.
  • The eSentire SOC is monitoring this threat and will continue to add malicious IPs to the eSentire global blacklist (Asset Manager Protect, via esNETWORK) as they’re detected.

What you should do about it

  • Ensure users are well informed about current threats through awareness programs and training.
  • Disable all Macros. If this is not possible, only allow macros from controlled/trusted sources. [1]
  • If running Windows 10 version 1709 (or later), attack surface reduction rules can be implemented within Windows Defender Exploit Guard to further defend against this threat. [2] [3]

Additional information

  • The eSentire SOC has observed numerous cases of Emotet malware targeting customers in the past 72 hours. In these cases, the malware was delivered via email in an attached Microsoft Word document containing malicious VBA macros.
  • The IcedID Trojan has advanced features including browser redirection and web injection for the theft of user credentials. The early complexity and functionality lead analysts to believe that the Trojan will see future updates. IcedID is capable of spreading to multiple endpoints through terminal servers. This suggests that large organizations, where a widespread infection is possible, are the primary target for IcedID.
  • For additional information and technical details, see the link below [4].

Additional Sources