IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[1][2]

ID: S0483
Platforms: Windows
Version: 1.1
Created: 15 July 2020
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

IcedID can query LDAP to identify additional users on the network to infect.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

IcedID has used HTTPS in communications with C2.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

IcedID has established persistence by creating a Registry run key.[1]

Enterprise T1185 Browser Session Hijacking

IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[1][2]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

IcedID has used obfuscated VBA string expressions.[2]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

IcedID has used SSL and TLS in communications with C2.[1][2]

Enterprise T1105 Ingress Tool Transfer

IcedID has the ability to download additional modules and a configuration file from C2.[1][2]

Enterprise T1106 Native API

IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.[2]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

IcedID has packed and encrypted its loader module.[2]

.003 Obfuscated Files or Information: Steganography

IcedID has embedded binaries within RC4 encrypted .png files.[2]

.013 Obfuscated Files or Information: Encrypted/Encoded File

IcedID has utilzed encrypted binaries and base64 encoded strings.[2]

Enterprise T1069 Permission Groups Discovery

IcedID has the ability to identify Workgroup membership.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

IcedID has been delivered via phishing e-mails with malicious attachments.[2]

Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

IcedID has used ZwQueueApcThread to inject itself into remote processes.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

IcedID has created a scheduled task that executes every hour to establish persistence.[2]

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. [2]

Enterprise T1082 System Information Discovery

IcedID has the ability to identify the computer name and OS version on a compromised host.[1]

Enterprise T1204 .002 User Execution: Malicious File

IcedID has been executed through Word documents with malicious embedded macros.[2]

Enterprise T1047 Windows Management Instrumentation

IcedID has used WMI to execute binaries.[2]

Groups That Use This Software

ID Name References
G0127 TA551