| Name | IcedID |
| Additional Names | BokBot |
| Type of Malware | Banking Trojan, Dropper |
| Date of Initial Activity | 2017 |
| Motivation | Steal steal financial information, including login credentials for online banking sessions, and devider other malwares |
| Attack Vectors | Email spam campaigns and other malwares, like Emotet |
| Targeted System | Windows |
| Associated Groups | Shatak threat actors (aka TA551), TA542 |
Overview
IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography, and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.
Three new variants of the IcedID malware are being used by multiple threat actors with code that researchers say has shifted away from launching banking trojans to more of a focus on ransomware.
Targets
Financial institutions’ users: United States, Canada, United Kingdom, Germany, France, Italy, Spain, Brazil, India.
Tools/ Techniques Used
IcedID, a sophisticated banking trojan, employs evasive techniques like process injection and steganography while employing redirection attacks and web injection attacks to steal users’ financial data. Through a man-in-the-browser attack, it targets online banking sessions to pilfer login credentials and other sensitive information.
Once the initial attack is successful, IcedID utilizes the stolen data to gain control over banking accounts and carry out automated fraudulent transactions. It is often distributed as a secondary payload, commonly associated with Emotet, alongside its own malspam campaigns. IcedID employs various injection methods to evade antivirus and other detection mechanisms, including memory and process injection, and its authors regularly update the malware to enhance persistence and counter new detection efforts.
After the initial infection, IcedID bypasses antivirus measures and establishes persistence through process-hollowing. It patiently waits for the system to reboot, ensuring its malicious processes run and blend in with legitimate processes on the operating system.
Once a web browser like Firefox, Google Chrome, or Internet Explorer is opened, IcedID identifies the browser type and injects shellcode to carry out web-injection attacks. This enables the malware to monitor the victim’s online activity, manipulate the browser’s behavior, and silently gather relevant information.
By establishing a proxy, IcedID intercepts and redirects network traffic, utilizing malicious websites that mimic legitimate banking and financial institutions to deceive users.
Impact / Significant Attacks
Target users in over 100 countries. Here are some of the countries with the most attacks from icedID malware: United States, Canada, United Kingdom, Germany, France, Italy, Spain, Brazil and India.
