Skip to content

S0483 IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.12

Item Value
ID S0483
Associated Names
Version 1.0
Created 15 July 2020
Last Modified 14 August 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account IcedID can query LDAP to identify additional users on the network to infect.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols IcedID has used HTTPS in communications with C2.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder IcedID has established persistence by creating a Registry run key.1
enterprise T1185 Browser Session Hijacking IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic IcedID has used obfuscated VBA string expressions.2
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography IcedID has used SSL and TLS in communications with C2.12
enterprise T1105 Ingress Tool Transfer IcedID has the ability to download additional modules and a configuration file from C2.12
enterprise T1106 Native API IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.2
enterprise T1027 Obfuscated Files or Information IcedID has utilzed encrypted binaries and base64 encoded strings.2
enterprise T1027.002 Software Packing IcedID has packed and encrypted its loader module.2
enterprise T1027.003 Steganography IcedID has embedded binaries within RC4 encrypted .png files.2
enterprise T1069 Permission Groups Discovery IcedID has the ability to identify Workgroup membership.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment IcedID has been delivered via phishing e-mails with malicious attachments.2
enterprise T1055 Process Injection -
enterprise T1055.004 Asynchronous Procedure Call IcedID has used ZwQueueApcThread to inject itself into remote processes.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task IcedID has created a scheduled task that executes every hour to establish persistence.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. 2
enterprise T1082 System Information Discovery IcedID has the ability to identify the computer name and OS version on a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File IcedID has been executed through Word documents with malicious embedded macros.2
enterprise T1047 Windows Management Instrumentation IcedID has used WMI to execute binaries.2

Groups That Use This Software

ID Name References
G0127 TA551 3456