IcedID

IcedID is a banking Trojan type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules.

Type
Trojan
Origin
Unknown
First seen
1 September, 2017
Last seen
28 May, 2020
Also known as
BokBot
Global rank
36
Week rank
27
Month rank
34
IOCs
374

What is IcedID?

IcedID is a banking Trojan type malware that allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver other viruses or download additional modules.

Researchers identified IcedID for the first time in Autumn 2017 when the first victims suffered from attacks by this malware. Upon further investigation, researchers revealed that IcedID is a modular virus that carries very advanced functions. In addition, it was initially reported that IcedID does not seem to feature any borrowed or stolen code from other Trojans which is atypical for more developed malware samples like the one we are dealing with today.

General description of IcedID

It is thought that IcedID is being operated by a group of threat actors with connections to Eastern European cyber-bands. In addition, criminals behind IcedID are known to collaborate with creators or distributors of Emotet and TrickBot.

IcedID attacks are targeted mostly at banks in North America and a few select banking organizations in the United Kingdom. This malware targets mostly corporate bank accounts, payment card providers, mobile services providers, payroll, webmail and e-commerce sites. We were not able to find any information about attacks directed at private users at this point.

However, this very well might change at some point in the future as evidence suggests that the criminals behind IcedID are preparing new and, possibly, bigger campaigns. As a matter of fact, network propagation functionality was added to this malware, giving it the ability to move across various endpoints.

Speaking of additions, IcedID is being actively maintained and upgraded by its authors. For example, the second version of the virus significantly reworked the code and made the IcedID modular, giving it the ability to fetch plugins on-demand after the execution of the base file. This made the virus much harder to detect and defend against. While it is generally believed that this virus relies 100% on code created from scratch, some researchers suggest that the malware does, in fact, reuse code from version 2.0 of Pony malware. Apparently, the borrowed function is in charge of stealing data from email accounts although Pony code may have been used for other applications within the virus.

Unfortunately, constant upgrades are most likely one of the leading factors that contributed to the rising popularity of this Trojan. This is bad news especially considering that this Trojan is already using extremely advanced techniques like complex web-injects.

Once the execution process is complete, IcedID creates a local proxy to intercept and control all web traffic of the infected user.

When the malware detects that a victim is navigating to the bank's website, IcedID can redirect the user to a replica of the webpage located on the server that is controlled by the attackers. Threat actors carefully reconstruct the webpage and make the experience as seamless as possible for the victim by maintaining an active connection with the real website all the time. This allows IcedID to use the correct URL in the address bar and even display a legit SSL certificate.

Of course, from this point on every action of the user is being recorded and social engineering is used to retrieve as many credentials and administrative information as possible.

IcedID malware analysis

A video recorded in the ANY.RUN interactive malware hunting service shows the execution process of IcedID. Users can utilize this information to take a deep dive into how this malware functions under the hood.

icedid execution process graph Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the IcedID analysis Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

IcedID execution process

IcedID authors constantly make changes to the malware, so its execution process can dramatically vary from one version to another.

Our example was distributed in the form of a malicious Microsoft Office document with macro. Maldocs macro dropped an obfuscated command-line file and started its execution. Wscript.exe was started through the command-line execution process to download the payload which was, in turn, executed by cmd.exe. After the payload started its execution, it injected into svchost.exe process which, then, activated malicious activities such as stealing of personal data, establishing connection with the C2 server, creating scheduled tasks and more.

Distribution of IcedID malware

IcedID uses a typical delivery method for banking Trojans — attackers distribute it in malicious Microsoft Office documents that prompt the users to enable macros and, once it is done, activate the download of the executable to the victim's machine.

The unique aspect of IcedID distribution campaigns lies in the meticulous approach to email crafting that threat actors employ. While most malware types that use email campaigns as the mains distribution channel tend to target the broadest audience they can, IcedID authors choose to work with much narrower focus groups and craft every email with greater detail than the usual standard in the industry.

While any email with a malicious attachment is designed to lower your guard and make you download and open the file, usually attackers pick very general topics with little to no personalization.

IcedID authors use spear-phishing techniques, meaning that they learn details about their victims and use them to increase the effectiveness of their emails. If a latter carrying IcedID is directed at a car dealer from Arizona, it is likely to contain information about a car dealership in Arizona, references to local companies or even colleagues of the victim.

The creation of such targeted campaigns requires hackers to devote time to investigative work in preparation for each bunch of emails, but it is guaranteed to make messages look less like a scam and more like legit business communication.

It should be noted that in some cases IcedID may infect the system in tandem with other malware samples. It can download and can be downloaded by malware such as Emotet or TrickBot Trojans.

How to detect IcedID?

This malware creates files that allow analysts to detect it with a high degree of certainty. To detect IcedID, Open the "Files" tab in the lower part of the task's window and take a look at the created files. If you see folders with names such as "lchej" and "ydmfipkzqfsb" within C:\Users\admin\AppData\Local\ directory and files with names "pczapabclgpba", "mtkdonmlmxelaa", "ozwzefgpkzmzba", and "zcnejolyretaa", as shown on the figure below, be sure that it is IcedID in front of you.

how to detect icedid Figure 3: File created by IcedID malware

Summary

IcedID trojan is one of the examples of the new generation of malware. Although it was built from the ground up by its creators, it uses a lot of unique code and has functions not much inferior to those found in the most advanced older viruses such as Trickbot.

However, what makes IcedID potentially even more dangerous is the evolved mentality of its authors, who use spear-phishing to increase the effectiveness of their distribution campaigns.

Before, we could secure ourselves from a lot of threats by raising awareness about the dangers of suspicious emails and infected documents. With IcedID we need to rely more on technological lines of defense since some email templates that authors have used and will use again are indistinguishable from real professional communication.

Here, at ANY.RUN it is our job to provide cybersecurity researchers with all the necessary tools to study and neutralize threats like IcedID and we hope that you will find these tools extremely useful in your line of work!

IOCs

IP addresses
45.153.242.26
89.163.253.225
185.246.116.239
89.105.198.107
134.122.98.82
91.132.139.206
185.147.14.238
167.172.49.82
37.72.175.199
67.43.224.156
128.199.57.93
139.59.90.194
64.225.74.231
185.236.203.190
64.225.65.70
209.97.173.196
37.120.140.244
167.99.11.50
157.230.118.244
165.227.1.75
Hashes
0ee3edd3da50618dac2b07c1ccca08f9431e693fbbe14d27511127534c5d0b9a
83ee9ad6358cc6fa18169cbf25b379789d6e9e02290779fee912b57fc1cf1a77
d1866595a7b8c6290174c7c27f414bb8ce44250dbb632bd25554e7f7b46ead8b
dc09b4b3ac9f391cf338bbc89440a3f5a199bfc3a7d3b3b84d26ffcbef82e744
ba8f651e18dc3d43543d6f26b7b2c82831bf9a09b476ce4b018fd2fdcd24423f
e5712c746eac27cb58c2f59c097001fdea817555666bc35c1ed5ab0a08d058bc
3a93e64582687322d3fb024f00bef2597e1ae6b063253d151add0699558f2820
adb411fdd3bcaf4dfa813c10a6cc4836332e57fa8ef21af6df1d2bb5517df819
bc64bab43170f3c661446834d38a02e8bf17fe3ddf7bacc7e1281fe71136094c
956b8a2983984ce065fc6d1a4eda031c974c3569c99a5b03c4d5ee4ae367b940
4519186b8fb2eaa847255087b44f918928c20e97c2fbeaeafe70c5ea4678f980
bab32f942f49f174fedb3bfbb439bb2ec8abc558d303e7e12b4dd49622813551
7d11a323dede4ffda3f80c766f89696fc8b825d2691e0d2e7482906688cb03b9
ed4fe06b27cf2f178cf59d21d9a81460cba702164080ad9d481b99a426e2b677
Domains
elx01.knas.systems
majul.com
isns.net
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
smtp.siqanalytical.com
feminization.xyz
bividilli.xyz
groggypirogy.top
fredoferodo.top
lokolojazz.club
turtlesfun.fun
jagerteam.top
kingthekong.top
gizasector.xyz
fekilopol.xyz
covercow.xyz
molonlabewords.xyz
karantino.xyz

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More