IcedID Malware

What Is IcedID Malware?

IcedID (AKA BokBot) is a relatively new strain of malware first discovered in 2017 that is classified as a banking trojan and remote access trojan (RAT). It is considered to have capabilities comparable to other sophisticated banking Trojans such as Zeus, Gozi, and Dridex. IcedID is a second-stage malware reliant on other first-stage malware, such as Emotet, to gain initial access and deploy it. In addition to stealing victims' financial information, IcedID often serves as a dropper for other second-stage malware, including ransomware, and has advanced capabilities to move laterally through a network. 

IcedID is primarily used by the Shatak threat actors (aka TA551) for their malware as a service (MaaS) criminal enterprise. IcedID infections are often installed by the notorious Emotet first-stage malware or by one of the largest malspam botnets in the world, the Cutwail malspam botnet. Although not listed in CISA's top ten malware strains for 2021, IcedID is considered an advanced threat frequently updated with novel and advanced evasive techniques.

Shatak threat actors commonly use phishing emails to spread IcedID via macro-laden Microsoft Office document attachments, .iso files, or encrypted .zip archives. Post-infection, IcedID's initial payload enumerates the target host system to determine the most effective infection path. The initial payload seeks a stealthy injection point to install itself with persistence and then waits for a system to reboot before initiating its main module. By waiting for a system reboot, IcedID ensures a higher degree of stealth, appearing as a legitimate process every time the system reboots.

IcedID uses a combination of second-stage techniques, including:

  • Uses a "living off the land" (LOTL) approach to gather information about the target system using native Windows tools
  • Leverages the Windows Management Instrumentation (WMI) utility to detect antivirus and other security software installed on the target system and adjusts its strategy to increase its probability of success
  • Abuses the WMI feature in Windows to interact with local or remote systems for discovery and lateral movement via the Active Directory (AD) domain file shares
  • Uses multiple injection methods to hijack legitimate applications to evade detection
  • Establishes persistence through several methods, including scheduled tasks and Ru
  • Hooks several Application Programming Interface (API) Functions to inject itself into existing system Dynamic Link Libraries (DLL)
  • Imports other malware strains, including ransomware and hacking tools such as Cobalt Strike
  • Imports packaged, highly obfuscated DLL files that can be executed instead of native Windows DLL files in a technique known as "DLL hijacking"
  • Stores its configuration files and payloads as encrypted blobs and uses other files types, such as PNG or ICO, to hide payloads
  • Injects commands into the Windows Installer (msiexec.exe) process to mask its command execution as a typical MSI application

IcedID's stealer capabilities use a highly effective "man-in-the-browser" web injection attack to infect major browser applications allowing an attacker to see the victim's online activity, steal login information directly, or redirect victims page load requests to malicious websites that masquerade as popular legitimate online banking and financial web applications. This effectively tricks IcedID's victims into providing online banking login credentials, later used to perform fraudulent transactions.

Signs of an IcedID Attack

As with most malware, an attack is best spotted with a keen awareness of common social engineering tactics, particularly phishing and malspam techniques. Although YARA rules, malware signatures, and network traffic analysis may help with post-infection detection of known versions of IcedID, its developers frequently update the malware with new and improved methods of maintaining persistence and evasion, making it difficult to reliably detect an IcedID infection without advanced endpoint protection products.

How to Prevent an IcedID Attack

IcedID is a quickly evolving strain of malware, and its developers are constantly seeking novel attack techniques to improve IcedID's stealth and evasion capabilities. A holistic enterprise-level cybersecurity program provides the best assurances against such a threat. An organization can reduce its chances of becoming an IcedID victim by taking the proper precautions.

Here are the most effective ways to defend against an IcedID attack:

  • Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted
  • Implement Zero Trust solutions wherever possible, giving priority to critical systems
  • Conduct regular vulnerability scanning and penetration testing of all network infrastructure and remediate any discovered vulnerabilities as soon as possible
  • Enforce multi-factor authentication for all critical services, especially online banking and cryptocurrency accounts
  • Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
  • Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
  • Ensure that only authorized, digitally signed software is installed on all endpoints and regularly scan for and block any unauthorized software from executing
  • Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites
  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents

Blackberry® Cylance®, which offers a predictive advantage over zero-day threats, is also effective against malware like IcedID. Blackberry Cylance trains artificial intelligence (AI) agents for threat detection using millions of both safe and unsafe files.

Blackberry Cylance prevents IcedID and its variants from executing based on the detection of several malicious file attributes, not a specific file signature. This approach allows our customers to implement a prevention-first security posture effective against unknown, emerging, and polymorphic threats as well as traditional threats.