IcedID, also known as BokBot, is a modular banking Trojan first seen in 2017. It steals financial information through man-in-the-browser attacks, web injection, proxy setup, and redirection to intercept and manipulate web traffic. This allows the malware to capture login credentials during online banking sessions and access and perform fraudulent transactions on the account.
Technical Evolution and Features
Initially designed to harvest banking credentials, IcedID has evolved to be a versatile threat that can be a loader for other malware, including ransomware. The infection chain starts with phishing emails with malicious attachments, password-protected ZIP files with embedded Office documents. Once opened, these documents execute scripts that download and run the IcedID payload.
The malware uses various evasion techniques, including process injection into legitimate system processes like msiexec.exe or svchost.exe, and steganography to hide itself. Once executed, IcedID establishes persistence, communicates with C2 servers over HTTPS, and can download additional payloads to further compromise the system.
Infection and Distribution
IcedID is distributed through phishing campaigns and as a secondary payload by other malware families, including Emotet. It has also been seen spreading through malspam campaigns and exploiting compromised websites’ contact forms to deliver malicious links. Once a system is infected, IcedID can spread through the network, using its modular architecture to adapt and deploy different malicious components.
Operational Impact
The deployment of IcedID is risky, including unauthorized access to sensitive financial data, financial losses due to fraudulent transactions, and the ability to infect other malware, including ransomware. Its ability to be a loader for other malware makes it a threat to both individuals and organizations.
Employee Training: Educate staff to recognize phishing attempts and not to open unsolicited attachments or click on unknown links.
Email Security: Implement email filtering solutions to detect and block malicious attachments and links.
Endpoint Protection: Deploy advanced EDR tools to detect and respond to IcedID activity.
Regular Updates: Ensure all systems and software are up to date with the latest patches.