1. Home
  2. Software
  3. IcedID

IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[1][2]

ID: S0483
Type: MALWARE
Platforms: Windows
Contributors: Jorge Orchilles; Matt Brenton; Zaw Min Htun, @Z3TAE
Version: 1.2
Created: 15 July 2020
Last Modified: 28 October 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

IcedID can query LDAP and can use built-in net commands to identify additional users on the network to infect.[1][3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

IcedID has used HTTPS in communications with C2.[2][3][4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

IcedID has established persistence by creating a Registry run key.[1]
Enterprise T1185 Browser Session Hijacking

IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[1][2]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

IcedID has used obfuscated VBA string expressions.[2]
Enterprise T1482 Domain Trust Discovery

IcedID used Nltest during initial discovery.[4][3]
Enterprise T1189 Drive-by Compromise

IcedID has cloned legitimate websites/applications to distribute the malware.[5]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

IcedID has used SSL and TLS in communications with C2.[1][2]
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

IcedID has exfiltrated collected data via HTTPS.[4]
Enterprise T1105 Ingress Tool Transfer

IcedID has the ability to download additional modules and a configuration file from C2.[1][2][3][6]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

IcedID has modified legitimate .dll files to include malicious code.[5]
Enterprise T1106 Native API

IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.[2]
Enterprise T1135 Network Share Discovery

IcedID has used the net view /all command to show available shares.[3]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

IcedID has packed and encrypted its loader module.[2]
.003 Obfuscated Files or Information: Steganography

IcedID has embedded binaries within RC4 encrypted .png files.[2]
.009 Obfuscated Files or Information: Embedded Payloads

IcedID has embedded malicious functionality in a legitimate DLL file.[5]
.013 Obfuscated Files or Information: Encrypted/Encoded File

IcedID has utilzed encrypted binaries and base64 encoded strings.[2]
Enterprise T1069 Permission Groups Discovery

IcedID has the ability to identify Workgroup membership.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

IcedID has been delivered via phishing e-mails with malicious attachments.[2][4]
Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

IcedID has used ZwQueueApcThread to inject itself into remote processes.[1]
.012 Process Injection: Process Hollowing

IcedID can inject a Cobalt Strike beacon into cmd.exe via process hallowing.[3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

IcedID has created a scheduled task to establish persistence.[2][3][4]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

IcedID can identify AV products on an infected host using the following command:WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List.[4][3]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. [2] IcedID has also used msiexec.exe to deploy the IcedID loader.[5]
.011 System Binary Proxy Execution: Rundll32

IcedID has used rundll32.exe to execute the IcedID loader.[5][3]
Enterprise T1082 System Information Discovery

IcedID has the ability to identify the computer name and OS version on a compromised host.[1][3]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

IcedID used the following command to check the country/language of the active console: cmd.exe /c chcp >&2.[3]
Enterprise T1016 System Network Configuration Discovery

IcedID used the ipconfig /all command and a batch script to gather network information.[3]
Enterprise T1204 .002 User Execution: Malicious File

IcedID has been executed through Word and Excel files with malicious embedded macros and through ISO and LNK files that execute the malicious DLL.[2][3][4]
Enterprise T1497 Virtualization/Sandbox Evasion

IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.[5]
Enterprise T1047 Windows Management Instrumentation

IcedID has used WMI to execute binaries.[2][4]

Groups That Use This Software

ID Name References
G0127 TA551

[7][8][9][10]
G1038 TA578

[6]

Campaigns

ID Name Description
C0037 Water Curupira Pikabot Distribution

Water Curupira Pikabot Distribution included distribution of IcedID en route to ransomware deployment.[11]

References

  1. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  2. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  3. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
  4. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
  5. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  6. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  1. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  2. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  3. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  4. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
  5. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.