IcedID Campaign Uses COVID-19 Phishing Emails; Employs New Tactics

Summary

A new version of the IcedID banking trojan has been spotted proliferating via COVID-19-themed and Family and Medical Leave Act (FMLA)-themed phishing emails. The emails contain an attachment comprised of malicious macros that, if enabled, begin executing the malware download in stages. To evade detection, the trojan is injected into msiexec.exe, a legitimate installer file used to install applications in Windows. During the second and third stages of infection, the main module of IcedID is downloaded as a PNG file, decrypted, and executes another binary embedded within the image – a change in tactic also known as steganography. The trojan then injects financial forms into the browser, targeting retailers and financial institutions such as Amazon, E-Trade, and Bank of America in order to collect banking credentials and payment card data.

Recommendations

The NJCCIC reminds users to avoid clicking on links, opening attachments, or enabling macros delivered in emails from unknown senders and exercise caution with emails from known senders. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. Technical details can be found in the Juniper Threat Research blog post.