The IcedID banking trojan has entered Check Point Research’s Global Threat Index for March 2021 for the first time despite being first seen in 2017, affecting 11% of organisations globally.
Taking second place, IcedID has been spreading rapidly in March thru several spam campaigns, while the established Dridex trojan was the most prevalent malware during March, up from seventh in February.
One widespread campaign of IcedID used a COVID-19 theme to entice new victims into opening malicious email attachments; the majority of these attachments are Microsoft Word documents with a malicious macro used to insert an installer for IcedID.
Once installed, the trojan then attempts to steal account details, payment credentials, and other sensitive information from users’ PCs. IcedID also uses other malware to proliferate, and has been used as the initial infection stage in ransomware operations.
“IcedID has been around for a few years now but has recently been used widely, showing that cyber-criminals are continuing to adapt their techniques to exploit organisations, using the pandemic as a guise,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.
“IcedID is a particularly evasive trojan that uses a range of techniques to steal financial data, so organisations must ensure they have robust security systems in place to prevent their networks being compromised and minimise risks. Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails that spread IcedID and other malware.”
The top 10 malware families:
- Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
- IcedID – IcedID is a banking Trojan spread by mail spam campaigns and uses evasive techniques like process injection and steganography to steal user financial data.
- Lokibot – Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
- Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
- Qbot – Qbot is a banking Trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.
- Trickbot – Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customisable malware that can be distributed as part of multi purposed campaigns.
- XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild in May 2017.
- Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
- Ursnif – Ursnif is a Trojan that targets the Windows platform and steals information and credentials for banking and email accounts. Moreover, it downloads and executes files on the infected system.
- Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.