IcedID is a well-researched banking trojan. For this analysis, F5 researchers zeroed in on how its decompression method works.
- In this article, we provide the code with which to analyze the decompression method used by IcedID for its target list and webinject configuration file.
- Decompression is significant because once it occurs, the file is loaded to the malware’s proxy module where it can then inject relevant files on a target website.
- While IcedID remains an active threat to financial institutions, it’s now also targeting social media, video streaming, search engines, and digital communications.
IcedID (also known as Bokbot) is a malicious banking trojan that was first spotted in late 2017 by the IBM X-force research team.1 It continues to be an active threat, constantly evolving, and updating its level of sophistication. It was spotted in 2018 collaborating with Trickbot, another active banking trojan, for distribution and development.2
IcedID’s core module and some processes were deeply technically analyzed by two other security companies.3, 4 F5 researchers wanted to expand and characterize the actual decompression method used by IcedID to decompress dropped webinject configuration files. The sample analyzed here is not new, but the methods described remain useful for malware analysis techniques. The decompression method used here is significant because it allows us to see the malware’s target list and webinjects in plaintext.
According to the previous research on IcedID, there are various unique IDs created by the malware to fingerprint the infected machine. The initial RC4 key that is being used to decrypt the webinject files is generated out of these IDs.
Looking at a specific packet, the key is sent over to the command and control (C&C) server in plaintext.