Over a decade ago, it easier to detect and avoid malware. It often came in colorful emails with suspicious grammar and spelling or websites that were obviously not trustworthy. However, these days, malware has grown so much more sophisticated that people often download them onto their devices without realising where they wrong. This is especially true for banking Trojans, which have found new ways to spread and steal data.


IcedID, known as BokBot, is a banking Trojan observed to be delivered via steganography. It works by encrypting and encoding itself with a valid PNG image’s content, making it difficult to detect via traditional methods. Here’s what you need to know about the malware:


How IcedID Works

IcedID is a modular banking Trojan that works by targeting use financial information. It can also drop other malware into a device, making it incredibly dangerous. It steals information by deploying a man-in-the-browser attack, obtaining login credentials used for online banking. Once it completes its first phase of the attack, it uses the stolen information to control banking accounts, automating fraudulent transactions.


Even though IcedID sounds deadly in itself, it is often dropped as a secondary payload from other kinds of malware, like Emotet. The Trojan utilises different injection methods to avoid being detected by antivirus programs, like inserting itself into the operating system memory. Its authors regularly update it to improve its persistence and continue dodging new detection technology.


IcedID’s Method of Attack

Once IcedID completes its initial infection, it then uses process-hollowing to continue bypassing antivirus programs. It hooks many different Application Programming Interface or API functions, such as “ntdll!SwCreateUserProcess.” When it executes, it removes the hooking code and produces a service host process called “svchost.exe,” allowing IcedID to embed itself into two Dynamic Link Libraries, “KERNEL32.DLL” and “SHLWAPI.DLL.” After creating “svchost.exe,” it then writes the payload into the “%ProgramData%” or “%AppData%” folders, although this depends on the victim’s account accesses and privileges. It also creates a scheduled task, enabling the malware to carry out its binary when the system reboots. It creates three more “svchost.exe” subprocesses to continue holding its shellcode.


Before commencing its initial module, IcedID will wait for the system to reboot. It takes these steps to ensure that it runs its malicious processes successfully while appearing to be legitimate when the system reboots. What makes IcedID more dangerous is that it can spread throughout the network, allowing it to track its activity on the infected system, withdraw data, and carry out the attack.


The Continuing Development of IcedID

IcedID transports itself primarily through malicious documents. It was circulated through a Word document in 2019 sent by the United States Postal Service. It has since changed its methods of spreading, and it continued proliferating through malicious spam emails containing an attachment.


Cyber attack prevention has become more complex with the continued advancement of such malware, which hackers have developed to continue evading antivirus and malware detection. It’s worth noting that its target victims, the financial and eCommerce sector in North America, have remained consistent.


It is crucial to maintain airtight security for all the devices you use to avoid such attacks, which compromise your information and risk depleting your finances. By working with cyber intelligence specialists, you can avoid falling victim to this malware and keep your personal details safe.


FraudWatch International is among the top leading cyber intelligence companies protecting clients around the world since 2003. We are at the forefront of preventing businesses from being attacked by malware, phishing, and social media and mobile apps impersonation. Contact us today to learn more about how we can protect you!