Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
New Variant of IcedID Banking Trojan Spreading Wildely
#1
https://news.softpedia.com/news/new-vari...3339.shtml        New Variant of IcedID Banking Trojan Spreading Wildely
While not exactly new, IcedID includes new Trojan features
Jun 28, 2021 07:43 GMT  ·  By George Dascalu  ·        A new form of the IcedID banking Trojan is spreading rapidly with detection peaking at 100 per day, according to Kaspersky Researchers.

As of March 2021, most users were attacked with the updated IcedID malware in the following geographical zones: Germany (8.58%), Italy (10.73%), India (11.59%), and the United States (10.73%).

The new form of the old banking Trojan is a modified downloader in English that contains the malware-infected files within ZIP archives. Cybersecurity researchers were able to detect the new spam campaigns spreading banking Trojans in mid-March of this year.

Modus operandi
IcedID consists of two parts: a downloader and a main body. The downloader sends user information to the server and makes the information available to the main body. After mapping itself into the memory, the latter maps start infiltrating the malware further into the system.

The Trojan can also launch other malicious actions, such as web injections that allow a threat actor to bypass two-factor authentication (2FA) or run a malicious DLL. Either method allows the downloading and executing of additional malicious modules that infiltrate deep into the system. Components such as the email collector, web inject module, password grabber, and hVNC (remote control module) are downloaded in order to perform web injections, traffic interception, system takeover and password theft.

What are the differences between QBot and IcedID?
Unlike previous IcedID versions, the new one uses the x86-64 CPU architecture instead of the x86 and removed the fake configuration from the server. The core was also slightly altered, as the authors decided not to swap shellcode for a regular PE file that contains some loader data at the beginning.

Some of the domains/IPs belonging to the sources of the cyberattacks are Karantino[.]xyz, uqtgo16datx03ejjz[.]xyz, 188.127.254[.]114, and Apoxiolazio55[.]space.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Coyote: A multi-stage banking Trojan abusing the Squirrel installer mrtrout 0 1,039 02-13-2024 , 03:37 AM
Last Post: mrtrout
  Ukraine Authorities Take Down Bot Farm Spreading Russian Misinformation mrtrout 0 1,292 07-20-2023 , 08:10 PM
Last Post: mrtrout
  Malware-as-a-service is spreading among teens mrtrout 0 767 06-30-2022 , 03:31 AM
Last Post: mrtrout
  Android malware BrazKing returns as a stealthier banking trojan mrtrout 0 758 11-19-2021 , 10:08 AM
Last Post: mrtrout
  Researchers Warn of Facefish Backdoor Spreading Linux Rootkits mrtrout 0 974 05-28-2021 , 10:58 PM
Last Post: mrtrout



Users browsing this thread: 1 Guest(s)