Threat of the Week: The IcedID Malware Trend

Share with your network!

Each week we host a Threat of the Week webinar featuring a high-level look at interesting threats to help security teams navigate the attack landscape. And this week, we chose to feature “IcedID”, a new trend where similar malwares are being used together to create a synergistic effect to better convince victims that the websites they are visiting are indeed their financial institutions. 

Email security vendors are getting better at detecting malware, creating a decreasing pool of potential victims. In response, threat actors are doubling up their efforts and utilizing similar tools to better ensnare potential victims.

IcedID arrives in vicitim's email boxes as a Word document containing macros.  If the document is opened and macros are enabled, IcedID will be installed. IcedID doesn't stop there, it then installs Trickbot or The Trick to double the chances users will become unsuspecting victims. IcedID and Trickbot go to work when a victim opens a web browser and navigates to their bank. These two banking trojans make a connection to the bank but send the victim to a false website where credentials can be collected. 

To the victim, the website not only looks the same, but the URL is the same as well as the banks security certifications. Not knowing their credentials have been compromised, the unsuspecting victim may lose all of their funds due to these trojans.

Another threat that caught our attention was the Chalbhai generic phishing threat. A lot of security vendors are letting this one slip through to customers and we wanted to figure out why. 

Here’s how the phishing scam operates: emails are sent to unsuspecting users that encourage them to go to websites of many common vendors including Wells Fargo, Bank of America, One Drive, and Outlook Web App.

The threat actors play on our fears and instincts to encourage the recipient to click on these links and put in their credentials. Once the threat actors have the credentials, funds can be drained from banks or secondary attacks may result since the threat actors could now have direct access to the victim's infrastructure services.

Learn more about these threats and how to best combat them by listening to the full webinar here.