1. Home
  2. Software
  3. IcedID

IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[1][2]

ID: S0483
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 15 July 2020
Last Modified: 14 August 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

IcedID can query LDAP to identify additional users on the network to infect.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

IcedID has used HTTPS in communications with C2.[2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

IcedID has established persistence by creating a Registry run key.[1]
Enterprise T1185 Browser Session Hijacking

IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[1][2]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

IcedID has used obfuscated VBA string expressions.[2]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

IcedID has used SSL and TLS in communications with C2.[1][2]
Enterprise T1105 Ingress Tool Transfer

IcedID has the ability to download additional modules and a configuration file from C2.[1][2]
Enterprise T1106 Native API

IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.[2]
Enterprise T1027 Obfuscated Files or Information

IcedID has utilzed encrypted binaries and base64 encoded strings.[2]
.002 Software Packing

IcedID has packed and encrypted its loader module.[2]
.003 Steganography

IcedID has embedded binaries within RC4 encrypted .png files.[2]
Enterprise T1069 Permission Groups Discovery

IcedID has the ability to identify Workgroup membership.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

IcedID has been delivered via phishing e-mails with malicious attachments.[2]
Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

IcedID has used ZwQueueApcThread to inject itself into remote processes.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

IcedID has created a scheduled task that executes every hour to establish persistence.[2]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. [2]
Enterprise T1082 System Information Discovery

IcedID has the ability to identify the computer name and OS version on a compromised host.[1]
Enterprise T1204 .002 User Execution: Malicious File

IcedID has been executed through Word documents with malicious embedded macros.[2]
Enterprise T1047 Windows Management Instrumentation

IcedID has used WMI to execute binaries.[2]

Groups That Use This Software

ID Name References
G0127 TA551

[3][4][5][6]

References

  1. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  2. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  3. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  1. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  2. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  3. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.