IcedID Banking Trojan Malware Threat Intel Advisory

Published 10 May 2021


  • IcedID operators target and abuse website contact forms of multiple enterprises
  • IcedID is leveraged as a dropper for other malware and in the infection stage of ransomware operations

Share this Threat Intel:

Advisory Type
Malware Intelligence
Malware Name
IcedID
Malware Aliases
BokBot
Malware Type
Banking Trojan
Target OS
Windows

Executive Summary

First noticed in 2017, IcedID is a banking trojan that steals financial information. IcedID has also been leveraged as a dropper for other malware and in the infection stage of ransomware operations. 

This malware follows multiple delivery methods, out of which phishing emails with macro embedded attachments are the most prevalent. In a recent campaign involving IcedID, attackers abused website contact forms of multiple enterprises, used emails laced with malicious links, which when clicked downloaded a malicious .zip file. These emails, usually, tend to create a sense of urgency, provoking immediate action. 

For instance, the sender pretends to be a photographer threatening legal action against the company for using his photos on their site, without permission. The sender then shares a malicious link which purports to be evidence that proves the incident. On clicking the link, however, the recipient is navigated to a Google page that downloads the malicious .zip file. 

Technical Analysis

The phishing emails that IcedID campaigns use contain a malicious link, that when clicked on loads a Google page. This page then requires the unsuspecting victim to sign in with their google credentials. Upon signing in a malicious zip file is automatically downloaded on the victim’s machine. If at all the first link fails, they are redirected to a .top domain which then leads to a Google User Content page that downloads the malicious zip file.

Stages of execution:

  • The zip file contains a malicious JavaScript that is executed via WScript
  • A Shell object is created after executing the previous JS file
  • The Shell object launches PowerShell to download the IcedID payload in .dat format
  • The IcedID payload is well encrypted to escape detection

Impact

Technical Impact
  • IcedID is a banking trojan that steals the victim’s banking credentials and other financial information in the infected system and sends the information gathered to the attacker’s C2.
  • IcedID also acts as a loader for other types of payloads like ransomware, furthering other forms of attacks.
Business Impact
  • The banking trojan affects the privacy of its victims and abuses their financial information. 
  • Infecting the system with ransomware will have an adverse impact on the business and its reputation.

Mitigation

  • Raise awareness about phishing emails and malicious links.
  • Use Multi-Factor Authentication for all accounts.
  • Users are advised to patch their systems and always be up to date.
  • Use the latest AV software.

 

Tactics, Techniques, and Procedures

Tactics
Techniques
Reconnaissance  
T1594 Search victim-owned websites
Initial Access
T1566.001 Spear phishing attachment
T1566.002 Spear phishing link
T1078.002 Domain accounts
Execution
T1059 Command and scripting interpreter
T1059.001 PowerShell
T1053.005 Scheduled Task
T1204.001 Malicious link
T1047 Windows management Instrumentation
Persistence
T1053.005 Scheduled Task
Privilege Escalation
T1055 Process injection
T1053.005 Scheduled Task
Defense Evasion
T1055 Process injection
T1218.011 Rundll32
T1553.002 Code signing
Credential Access
T1555.003 Credentials from web browsers
Discovery
T1482 Domain trust discovery
T1018 Remote system discovery
T1518.001 Security software discovery
T1082 System information discovery
T1016 System network configuration discovery
Lateral Movement
T1021.001 Remote Desktop Protocol 
T1021.002 SMB/Windows admin shares
Collection
T1185 Man in the browser
Command and Control
T1071 Application Layer Protocol
Exfiltration
T1048.002 Exfiltration over asymmetric encrypted non-C2 protocol
Impact
T1486 Data encrypted for impact

 

Indicators of Compromise

URL
https://tajushariya.com/ds/3003.gif
https://partsapp.com.br/ds/3003.gif
https://metaflip.io/ds/3003.gif
https://columbia.aula-web.net/ds/3003.gif
https://agenbolatermurah.com/ds/3003.gif
Hostname
columbia.aula-web.net
Domain
agenbolatermurah.com
metaflip.io
partsapp.com.br
tajushariya.com
File Hash – SHA1
191eda0c539d284b29efe556abb05cd75a9077a0
e2d681cb701cc399f2df1df7ac393440069c0916
816fd4a3c19d91727c835254c083e7a4e946ad54
dd58c4d4d12797ccc50488bb511288e50d405e66
7a0ff1d3469babd88dcab8db4c1f802a4228d4ab
922afdba3c7d52a99a7fba0d249297720b4dc811
30b666cf091d4fd4bc9ce76a0b11daf07f271d5f
b7029ba38004200f1b21a4d12337710a67dbea80
94f7de7ced668fbe9776cfef701b84e375b1c293
fc8b23d3d05c5cc5cab78bae3a84ec8dd9c0eeed
492c512e14cf59a5dfa8d8e5adfd93858e95100d
8617364d8958be0bd0e9cdae7320f5c9aae65208

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.