A financially-motivated attack group is getting better at using this banking trojan

Written by

Threat actors using a common banking trojan are improving the ways they get it on victims’ systems, according to new research from Juniper Networks’ threat research team.

In recent months the operators have been working to evade detection by using password protected attachments and keyword obfuscation in their trojanized documents, according to Juniper Threat Labs.

And in the last month, the hackers have gone a step further and begun using a malicious DLL file to run a second-stage attack that ultimately delivers IcedID, a banking trojan, says Juniper security researcher Paul Kimayong.

“This time, they also use a DLL for the second-stage downloader, which shows a new maturity level of this threat actor,” Kimayong says in a blog on the matter.

IcedID, which IBM X-Force researchers discovered in 2017, has been used in a variety of financially-motivated attacks targeting banks, payment card providers, payroll, and e-commerce sites.

The attackers have recently been using social engineering tactics to better trick their victims, Juniper Threat Labs found. In recent months, they have been using coronavirus themes in their emails, using keywords like COVID-19 in attachment names.

In one case, fake invoice emails from student tutoring company, PrepNow, were sent to customers laced with malicious .zip attachments. Those email addresses, Juniper Threat Labs says, were previously compromised.

PrepNow did not immediately return request for comment.

If victims click through the .zip file, they will be presented with a manipulated Microsoft Word document requesting they enable macros. If they do so, they will be targeted with the new second stage downloader, the malicious DLL, which will download the next malicious component of the attack, the IcedID malware.

The attackers also made efforts to conceal their operation, for instance by making the zip file password-protected.

“[T]he targeting is somewhat successful in the sense that it is capable of bypassing top-tier anti-spam solutions,” Mounir Hahad, the head of Juniper Threat Labs told CyberScoop, adding that the attack still isn’t the most sophisticated in the market. “But for people who have some sort of awareness about phishing, the email body is too minimalist to not trigger suspicion.”

Even though the attackers appear to be maturing their operations, some of the tactics appeared sloppy, Kimayong added.

“An interesting characteristic of these messages is the word ‘attached’ [in the spearphishing email] is obfuscated in multiple ways. This may be an attempt for this phish to bypass spam filters or phishing detection systems that could be looking for such keywords,” Kimayong said. “However, this is useless because there is no need for any security solution to rely on the word ‘attached’ to figure out there is an attachment.”

The attack is not believed to be ongoing, Hahad said, “as the [command and control] sites are already down, nor serving the second stage malware.”