What’s Below the Surface of IcedID?

29 March 2021

Banking Trojans are a dime a dozen, making it difficult to keep track of the myriad ways that an adversary can drop a payload. We recently wrote about Ramnit, a Trojan botnet, which has evolved over time. Similarly, another Trojan targeting the financial sector, IcedID, also known as BokBot, was discovered in 2017 by IBM X-Force researchers. In 2019, Malwarebytes researchers wrote, “the IcedID Trojan is now being delivered via steganography, as the data is encrypted and encoded with the content of a valid PNG image.” By April 2020, IBM X-Force researchers were hot on the heels of a new version “with substantial changes.” 

According to the Center for Internet Security, IcedID has the ability to act as a dropper for other malware. “It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions [and] is primarily dropped as a secondary payload from other malware.”

What seems to be consistent is the use of malicious documents to deliver the malware. In 2019, it was distributed through a malicious Word doc attachment coming from the United States Postal Service. Though the ruse changed, what remained the same was that the banking Trojan was spread through malspam emails that contained an attachment embedded with malicious macros.

The tactics, techniques and procedures have evolved, allowing IcedID to evade antivirus and malware detection, and there are many reliable reference sources available that detail how IcedID functions. Despite it’s shifting TTPs, the target victims–the financial sector and ecommerce primarily in North America–have remained pretty consistent. By late 2020, researchers at FireEye uncovered, “adversaries using IcedID more explicitly as a tool to enable access to impacted networks, and in many cases this was leading to the use of common post-exploitation frameworks and ultimately the deployment of ransomware.”

IcedID is being actively developed and continues to incorporate new features. “Along with the normal browser MitM capabilities expected of a banking Trojan, it has the ability to execute files, collect host and network information, as well as steal credentials and browser related data like cookies, saved passwords, and form autofill information,” said Prevailion’s Tim Stahl, Director of Threat Intelligence.

IcedID activity observed in a US technology company (Source: APEX).

Prevailion’s threat intelligence team has been tracking recent phishing campaigns delivering infected Word or Excel documents with embedded macros to kick off the infection chain. DocuSign themes continue to be leveraged by the actors behind this activity, as well the use of less mainstream TLDs for the C2 domains including: space, online, club, fun, uno, cyou, top, website, casa, and xyz.

As reported elsewhere, Prevailion has seen IcedID being used to deliver additional second stage malware, likely in an effort to fill the gap left in the crimeware ecosystem by the takedown of Emotet earlier this year. We are currently monitoring a number of recent compromises by this malware family across a variety of industry sectors.

The TTPs continue to evolve in order to evade detection, which is why organizations need to rely on more than indicators of compromise. Prevailion’s visibility into attacker C2 delivers the actionable intelligence you need to detect and respond to today’s evolving threats. 


The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.