IcedID Banker is Back, Adding Steganography, COVID-19 Theme

2020-06-18 18:34

A new version of the IcedID banking trojan has debuted that notably embraces steganography - the practice of hiding code within images - in order to stealthily infect victims.

"Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as.DAT files," according to a Thursday posting.

The image is saved in a directory, embedded with the encrypted IcedID main module.

If the victim opens a browser window, IcedID creates a local proxy that listens on 127.0.0.1:56654; hooks APIs on the browsers; and generates a self-signed certificate in the %TEMP% folder.

In all, the latest version of IcedID exhibits several layers of sophistication, according to the analysis, including the use of msiexec, full steganography, and the approach of using blended communication with normal traffic to hide.

News URL

https://threatpost.com/icedid-banker-adding-steganography-covid-19-theme/156718/

#covid19 #steganography