IcedID Botnet Detection: Malvertising Attacks Abusing Google Pay-Per-Click (PPC) Ads

In late December 2022, cybersecurity researchers observed a new burst of malicious activity distributing the noteworthy IcedID botnet. In this ongoing adversary campaign, threat actors abuse Google pay-per-click (PPC) ads to spread the novel variant of malware tracked as TrojanSpy.Win64.ICEDID.SMYXCLGZ.

Detecting IcedID Botnet Infections Through Malvertising

In view that the IcedID botnet is constantly evolving, adding new tricks to its malicious toolset, security professionals require a reliable source of detection content to proactively identify potential attacks. To ensure that cyber defenders are well armed against the evolving threat, SOC Prime’s Detection as Code Platform aggregates a set of Sigma rules by our keen Threat Bounty developers Kaan Yeniyol, Emir Erdogan, and Nattatorn Chuensangarun covering the latest campaigns by IcedID botnet operators. 

All the detection content is compatible with 25+ SIEM, EDR, BDP, and XDR solutions and is mapped to MITRE ATT&CK® framework v12 addressing the Defense Evasion and Execution tactics and the corresponding System Binary Proxy Execution (T1218) and Command and Scripting Interpreter (T1059) techniques.

Join our Threat Bounty Program to monetize your exclusive detection content while coding your future CV and honing detection engineering skills. Published to the world’s largest threat detection marketplace and explored by 8,000 organizations globally, your Sigma rules can help detect emerging threats and make the world a safer place while granting recurring financial profits.

To date, SOC Prime Platform aggregates a variety of Sigma rules detecting tools and attack techniques associated with the IcedID malware. Hit the Explore Detections button to check the latest detection algorithms accompanied by the corresponding ATT&CK references, threat intelligence links, and other relevant metadata.

Explore Detections

IcedID Botnet Distribution: Malvertising Attack Analysis

IceID botnet has been in the limelight in the cyber threat arena since 2017, posing a significant risk to organizations due to the constant evolution and sophistication of its variants. IcedID is capable of delivering other payloads, including Cobalt Strike and other malicious strains.

Used earlier as a banking Trojan also known as BankBot or BokBot and designed to steal financial data and banking credentials, the malware evolved to a more advanced payload leveraging email hijacking to compromise Microsoft Exchange servers in April 2022. The same month, IcedID malware was also leveraged in the cyber attacks targeting Ukrainian state bodies according to the corresponding CERT-UA alert. 

In the latest adversary campaigns spreading the IceID botnet, Trend Micro cybersecurity researchers have uncovered striking changes in the malware distribution methods. Threat actors apply the malvertising technique, which involves hijacking the selected search engine keywords to show malicious ads used as lures to trick compromised users into downloading the malware. In the ongoing malvertising attacks, adversaries take advantage of the popular Google pay-per-click (PPC) ads that enable businesses to display the advertised product or service to a broad target audience browsing via a Google search engine. IceID distributors spread malware leveraging cloned webpages of legitimate companies or widely-used applications to lure Google PPC Ads users. 

Notably, on December 21, 2022, the Federal Bureau of Investigation (FBI) issued a public announcement warning cyber defenders about the growing volumes of malvertising campaigns, in which attackers impersonate brands via search engine ads to steal login credentials and other financial data.

According to Trend Micro research, IceID distributors hijack the search engine keywords applied by a wide range of popular brands and applications to show malicious ads, including Adobe, Discord, Fortinet, Slack, Teamviewer, and more. The infection chain starts with the distribution of a loader, then followed by fetching a bot core, and finally, the delivery of a malicious payload. In the latest IcedID distribution campaign, the loader is dropped using an MSI file, which is uncommon for other attacks spreading the IcedID botnet. 

As potential mitigation measures that can be taken to minimize the risks of malvertising attacks, cyber defenders recommend applying ad blockers, leveraging domain protection services, and increasing cybersecurity awareness of the risks related to spoofed website use. 

To thwart ever-increasing malvertising attacks, cyber defenders should adopt the proactive cybersecurity approach to timely identify the malware presence in the organization’s environment. Gain instant access to unique Sigma rules for malvertising attack detection and explore relevant cyber threat context, such as ATT&CK and CTI references, executable binaries, mitigations, and more actionable metadata for streamlined threat research.