What’s Below the Surface of IcedID?

Banking Trojans are a dime a dozen, making it difficult to keep track of the myriad ways that an adversary can drop a payload. We recently wrote about Ramnit, a Trojan botnet, which has evolved over time. Similarly, another Trojan targeting the financial sector, IcedID, also known as BokBot, was discovered in 2017 by IBM X-Force researchers. In 2019, Malwarebytes researchers wrote, “the IcedID Trojan is now being delivered via steganography, as the data is encrypted and encoded with the content of a valid PNG image.” By April 2020, IBM X-Force researchers were hot on the heels of a new version “with substantial changes.” 

According to the Center for Internet Security, IcedID has the ability to act as a dropper for other malware. “It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions [and] is primarily dropped as a secondary payload from other malware.”

What seems to be consistent is the use of malicious documents to deliver the malware. In 2019, it was distributed through a malicious Word doc attachment coming from the United States Postal Service. Though the ruse changed, what remained the same was that the banking Trojan was spread through malspam emails that contained an attachment embedded with malicious macros.

The tactics, techniques and procedures have evolved, allowing IcedID to evade antivirus and malware detection, and there are many reliable reference sources available that detail how IcedID functions. Despite it’s shifting TTPs, the target victims–the financial sector and ecommerce primarily in North America–have remained pretty consistent. By late 2020, researchers at FireEye uncovered, “adversaries using IcedID more explicitly as a tool to enable access to impacted networks, and in many cases this was leading to the use of common post-exploitation frameworks and ultimately the deployment of ransomware.”

IcedID is being actively developed and continues to incorporate new features. “Along with the normal browser MitM capabilities expected of a banking Trojan, it has the ability to execute files, collect host and network information, as well as steal credentials and browser related data like cookies, saved passwords, and form autofill information,” said Prevailion’s Tim Stahl, Director of Threat Intelligence.

IcedID activity observed in a US technology company (Source: APEX).

Prevailion’s threat intelligence team has been tracking recent phishing campaigns delivering infected Word or Excel documents with embedded macros to kick off the infection chain. DocuSign themes continue to be leveraged by the actors behind this activity, as well the use of less mainstream TLDs for the C2 domains including: space, online, club, fun, uno, cyou, top, website, casa, and xyz.

As reported elsewhere, Prevailion has seen IcedID being used to deliver additional second stage malware, likely in an effort to fill the gap left in the crimeware ecosystem by the takedown of Emotet earlier this year. We are currently monitoring a number of recent compromises by this malware family across a variety of industry sectors.

The TTPs continue to evolve in order to evade detection, which is why organizations need to rely on more than indicators of compromise. Prevailion’s visibility into attacker C2 delivers the actionable intelligence you need to detect and respond to today’s evolving threats. 

 

The Latest

Prevailion CEO, Karim Hijazi, discusses China hacking Microsoft Exchange

Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.

Prevailion CEO, Karim Hijazi, discusses China’s attack on Microsoft

See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.

Prevailion CEO, Karim Hijazi, discusses second Solar Wind hack

See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.