What’s Below the Surface of IcedID?

Banking Trojans are a dime a dozen, making it difficult to keep track of the myriad ways that an adversary can drop a payload. We recently wrote about Ramnit, a Trojan botnet, which has evolved over time. Similarly, another Trojan targeting the financial sector, IcedID, also known as BokBot, was discovered in 2017 by IBM X-Force researchers. In 2019, Malwarebytes researchers wrote, “the IcedID Trojan is now being delivered via steganography, as the data is encrypted and encoded with the content of a valid PNG image.” By April 2020, IBM X-Force researchers were hot on the heels of a new version “with substantial changes.” 

According to the Center for Internet Security, IcedID has the ability to act as a dropper for other malware. “It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions [and] is primarily dropped as a secondary payload from other malware.”

What seems to be consistent is the use of malicious documents to deliver the malware. In 2019, it was distributed through a malicious Word doc attachment coming from the United States Postal Service. Though the ruse changed, what remained the same was that the banking Trojan was spread through malspam emails that contained an attachment embedded with malicious macros.

The tactics, techniques and procedures have evolved, allowing IcedID to evade antivirus and malware detection, and there are many reliable reference sources available that detail how IcedID functions. Despite it’s shifting TTPs, the target victims–the financial sector and ecommerce primarily in North America–have remained pretty consistent. By late 2020, researchers at FireEye uncovered, “adversaries using IcedID more explicitly as a tool to enable access to impacted networks, and in many cases this was leading to the use of common post-exploitation frameworks and ultimately the deployment of ransomware.”

IcedID is being actively developed and continues to incorporate new features. “Along with the normal browser MitM capabilities expected of a banking Trojan, it has the ability to execute files, collect host and network information, as well as steal credentials and browser related data like cookies, saved passwords, and form autofill information,” said Prevailion’s Tim Stahl, Director of Threat Intelligence.

Prevailion’s threat intelligence team has been tracking recent phishing campaigns delivering infected Word or Excel documents with embedded macros to kick off the infection chain. DocuSign themes continue to be leveraged by the actors behind this activity, as well the use of less mainstream TLDs for the C2 domains including: space, online, club, fun, uno, cyou, top, website, casa, and xyz.

As reported elsewhere, Prevailion has seen IcedID being used to deliver additional second stage malware, likely in an effort to fill the gap left in the crimeware ecosystem by the takedown of Emotet earlier this year. We are currently monitoring a number of recent compromises by this malware family across a variety of industry sectors.

The TTPs continue to evolve in order to evade detection, which is why organizations need to rely on more than indicators of compromise. Prevailion’s visibility into attacker C2 delivers the actionable intelligence you need to detect and respond to today’s evolving threats.