IcedID

IcedID, also known as BokBot, is a modular banking Trojan first seen in 2017. It steals financial information through man-in-the-browser attacks, web injection, proxy setup, and redirection to intercept and manipulate web traffic. This allows the malware to capture login credentials during online banking sessions and access and perform fraudulent transactions on the account.

Key Insights

Technical Evolution and Features

Initially designed to harvest banking credentials, IcedID has evolved to be a versatile threat that can be a loader for other malware, including ransomware. The infection chain starts with phishing emails with malicious attachments, password-protected ZIP files with embedded Office documents. Once opened, these documents execute scripts that download and run the IcedID payload.

The malware uses various evasion techniques, including process injection into legitimate system processes like msiexec.exe or svchost.exe, and steganography to hide itself. Once executed, IcedID establishes persistence, communicates with C2 servers over HTTPS, and can download additional payloads to further compromise the system.

Infection and Distribution

IcedID is distributed through phishing campaigns and as a secondary payload by other malware families, including Emotet. It has also been seen spreading through malspam campaigns and exploiting compromised websites’ contact forms to deliver malicious links. Once a system is infected, IcedID can spread through the network, using its modular architecture to adapt and deploy different malicious components.

Operational Impact

The deployment of IcedID is risky, including unauthorized access to sensitive financial data, financial losses due to fraudulent transactions, and the ability to infect other malware, including ransomware. Its ability to be a loader for other malware makes it a threat to both individuals and organizations.

Known Variants

Over time IcedID has developed several variants, including the “Lite” and “Forked” versions. The Lite version, seen in November 2022 was a follow-on payload in Emotet campaigns and has a streamlined loader with reduced functionality. The Forked version, seen in February 2023 has no traditional banking features like web injects and backconnect, indicating a shift towards payload delivery over financial data theft.

Mitigation Strategies

Employee Training: Educate staff to recognize phishing attempts and not to open unsolicited attachments or click on unknown links.
Email Security: Implement email filtering solutions to detect and block malicious attachments and links.
Endpoint Protection: Deploy advanced EDR tools to detect and respond to IcedID activity.
Regular Updates: Ensure all systems and software are up to date with the latest patches.

Targeted Industries or Sectors

IcedID does not seem to target specific industries. Its distribution methods suggest a wide ranging approach, impacting various sectors and individuals.

Associated Threat Actors

IcedID is used by various threat actors, including TA551 and TA578 to gain initial access to systems for further malicious activities. These actors are initial access brokers, deploying ransomware and other cybercrime operations.