1. Home
  2. Software
  3. IcedID

IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[1][2]

ID: S0483
Type: MALWARE
Platforms: Windows
Contributors: Jorge Orchilles; Matt Brenton; Zaw Min Htun, @Z3TAE
Version: 1.2
Created: 15 July 2020
Last Modified: 28 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

IcedID has used WMI to execute binaries.[2][3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

IcedID has modified legitimate .dll files to include malicious code.[4]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

IcedID has used SSL and TLS in communications with C2.[1][2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

IcedID has established persistence by creating a Registry run key.[1]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

IcedID has used obfuscated VBA string expressions.[2]
Enterprise T1482 域信任发现

IcedID used Nltest during initial discovery.[3][5]
Enterprise T1071 .001 应用层协议: Web Protocols

IcedID has used HTTPS in communications with C2.[2][5][3]
Enterprise T1048 .002 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

IcedID has exfiltrated collected data via HTTPS.[3]
Enterprise T1106 本机API

IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.[2]
Enterprise T1069 权限组发现

IcedID has the ability to identify Workgroup membership.[1]
Enterprise T1185 浏览器会话劫持

IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[1][2]
Enterprise T1189 浏览器攻击

IcedID has cloned legitimate websites/applications to distribute the malware.[4]
Enterprise T1027 .002 混淆文件或信息: Software Packing

IcedID has packed and encrypted its loader module.[2]
.003 混淆文件或信息: Steganography

IcedID has embedded binaries within RC4 encrypted .png files.[2]
.009 混淆文件或信息: Embedded Payloads

IcedID has embedded malicious functionality in a legitimate DLL file.[4]
.013 混淆文件或信息: Encrypted/Encoded File

IcedID has utilzed encrypted binaries and base64 encoded strings.[2]
Enterprise T1204 .002 用户执行: Malicious File

IcedID has been executed through Word and Excel files with malicious embedded macros and through ISO and LNK files that execute the malicious DLL.[2][5][3]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. [2] IcedID has also used msiexec.exe to deploy the IcedID loader.[4]
.011 系统二进制代理执行: Rundll32

IcedID has used rundll32.exe to execute the IcedID loader.[4][5]
Enterprise T1614 .001 系统位置发现: System Language Discovery

IcedID used the following command to check the country/language of the active console: cmd.exe /c chcp >&2.[5]
Enterprise T1082 系统信息发现

IcedID has the ability to identify the computer name and OS version on a compromised host.[1][5]
Enterprise T1016 系统网络配置发现

IcedID used the ipconfig /all command and a batch script to gather network information.[5]
Enterprise T1135 网络共享发现

IcedID has used the net view /all command to show available shares.[5]
Enterprise T1497 虚拟化/沙盒规避

IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.[4]
Enterprise T1087 .002 账号发现: Domain Account

IcedID can query LDAP and can use built-in net commands to identify additional users on the network to infect.[1][5]
Enterprise T1518 .001 软件发现: Security Software Discovery

IcedID can identify AV products on an infected host using the following command:WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List.[3][5]
Enterprise T1105 输入工具传输

IcedID has the ability to download additional modules and a configuration file from C2.[1][2][5][6]
Enterprise T1055 .004 进程注入: Asynchronous Procedure Call

IcedID has used ZwQueueApcThread to inject itself into remote processes.[1]
.012 进程注入: Process Hollowing

IcedID can inject a Cobalt Strike beacon into cmd.exe via process hallowing.[5]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

IcedID has been delivered via phishing e-mails with malicious attachments.[2][3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

IcedID has created a scheduled task to establish persistence.[2][5][3]

Groups That Use This Software

ID Name References
G0127 TA551

[7][8][9][10]
G1038 TA578

[6]

Campaigns

ID Name Description
C0037 Water Curupira Pikabot Distribution

Water Curupira Pikabot Distribution included distribution of IcedID en route to ransomware deployment.[11]

References

  1. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  2. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  3. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
  4. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  5. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
  6. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  1. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  2. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  3. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  4. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
  5. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.