Normally, IcedID spreads through spam email or dropped by other malware families. In our analysis, we found the family to be Emotet. In early 2017, Emotet was widely used to spread other banking Trojans such as Qkabot and Dridex.<\/p>\n
IcedID contains a network spreading module which is rarely observed in other banking Trojans. Looking at the API sequence in IcedID, it has adopted similar techniques which were successfully used by malware such as BadRabit, Petya\/Not-Petya.<\/p>\n
Analysis of sample <\/strong><\/p>\n On execution, the sample drops a copy of itself on to the folder %LOCAL_APPDATA% <\/strong>with a random name in a randomly named folder. The name of the dropped file and folder is the same and contains 9 characters. The name of the dropped file is generated using a security identifier (SID) of the current user. Below is the code that generates the SID for the current logged on user.<\/p>\n The name of the dropped file with a random name in a randomly named folder.<\/p>\n \u201c%LOCALAPPDATA%\\[a-z]{9}\\[a-z]{9}.exe\u201d<\/p>\n Example: –<\/p>\n \u201cC:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\homatluna<\/strong>\\homatluna.exe<\/strong>\u201d<\/p>\n It maintains its persistence by creating a registry entry in \u201cRun\u201d.<\/p>\n \u201cHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\homatluna<\/strong>\u201d<\/p>\n Next IcedID writes a RSA crypto-key to the system into the AppData folder. It then writes a certificate file in %TEMP% folder.<\/p>\n Example – \u201cC:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\0137194B.tmp<\/strong>\u201d<\/p>\n Network activity<\/strong><\/p>\n It creates two socket connections. One for local proxy and another to serve as a backdoor for CnC communication. In our analysis, the port with the local proxy bind is 49158<\/strong> and the backdoor is created on port number 49161<\/strong>.<\/p>\n It creates a local proxy. Using certificates of different banks and custom module, it implements its own SSL layer. Using this it performs MITM. IcedID can intercept all traffic and extract user credentials from it.<\/p>\n Once the malware enters the system, it sends the bot ID and basic system information to the CnC server through the POST request as seen in Fig 1 and Fig 2.<\/p>\n Following is the decoded post request details to be sent:<\/p>\n K – System Name<\/em><\/p>\n B – BOT ID<\/em><\/p>\n L – Work Group<\/em><\/p>\n M – OS Version<\/em><\/p>\n IcedID\u2019s communication with CnC takes place over an encrypted SSL whose certificate is decided by the malware itself from the certificate store. The temp file which is dropped by the malware is used to store the certificate. The below code is used for certificate enumeration.<\/p>\n Spreading in the network<\/strong><\/p>\n IcedID is different from other banking Trojans because it can spread within the network. It first finds the live system on the local network and copies itself on to the new system.<\/p>\n![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/11\/Fig1-650x90.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/11\/Fig2-571x390.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/11\/Fig3-650x141.jpg\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/11\/Fig4.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/11\/Fig5.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/11\/Fig6.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/11\/Fig7.png\")