S0483 IcedID
IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.12
| Item | Value |
|---|---|
| ID | S0483 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 15 July 2020 |
| Last Modified | 22 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | IcedID can query LDAP and can use built-in net commands to identify additional users on the network to infect.14 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | IcedID has used HTTPS in communications with C2.245 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | IcedID has established persistence by creating a Registry run key.1 |
| enterprise | T1185 | Browser Session Hijacking | IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | IcedID has used obfuscated VBA string expressions.2 |
| enterprise | T1482 | Domain Trust Discovery | IcedID used Nltest during initial discovery.54 |
| enterprise | T1189 | Drive-by Compromise | IcedID has cloned legitimate websites/applications to distribute the malware.3 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | IcedID has used SSL and TLS in communications with C2.12 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | IcedID has exfiltrated collected data via HTTPS.5 |
| enterprise | T1105 | Ingress Tool Transfer | IcedID has the ability to download additional modules and a configuration file from C2.1246 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | IcedID has modified legitimate .dll files to include malicious code.3 |
| enterprise | T1106 | Native API | IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.2 |
| enterprise | T1135 | Network Share Discovery | IcedID has used the net view /all command to show available shares.4 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | IcedID has packed and encrypted its loader module.2 |
| enterprise | T1027.003 | Steganography | IcedID has embedded binaries within RC4 encrypted .png files.2 |
| enterprise | T1027.009 | Embedded Payloads | IcedID has embedded malicious functionality in a legitimate DLL file.3 |
| enterprise | T1027.013 | Encrypted/Encoded File | IcedID has utilzed encrypted binaries and base64 encoded strings.2 |
| enterprise | T1069 | Permission Groups Discovery | IcedID has the ability to identify Workgroup membership.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | IcedID has been delivered via phishing e-mails with malicious attachments.25 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.004 | Asynchronous Procedure Call | IcedID has used ZwQueueApcThread to inject itself into remote processes.1 |
| enterprise | T1055.012 | Process Hollowing | IcedID can inject a Cobalt Strike beacon into cmd.exe via process hallowing.4 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | IcedID has created a scheduled task to establish persistence.245 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | IcedID can identify AV products on an infected host using the following command: |
WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List.54 |
|||
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. 2 IcedID has also used msiexec.exe to deploy the IcedID loader.3 |
| enterprise | T1218.011 | Rundll32 | IcedID has used rundll32.exe to execute the IcedID loader.34 |
| enterprise | T1082 | System Information Discovery | IcedID has the ability to identify the computer name and OS version on a compromised host.14 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | IcedID used the following command to check the country/language of the active console: |
cmd.exe /c chcp >&2.4 |
|||
| enterprise | T1016 | System Network Configuration Discovery | IcedID used the ipconfig /all command and a batch script to gather network information.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | IcedID has been executed through Word and Excel files with malicious embedded macros and through ISO and LNK files that execute the malicious DLL.245 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.3 |
| enterprise | T1047 | Windows Management Instrumentation | IcedID has used WMI to execute binaries.25 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0127 | TA551 | 891011 |
| G1038 | TA578 | 6 |
References
-
Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. ↩↩↩↩↩↩↩↩↩
-
Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024. ↩↩↩↩↩↩
-
DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024. ↩↩↩↩↩↩↩↩
-
Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. ↩↩
-
Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024. ↩
-
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. ↩
-
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. ↩
-
Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. ↩
-
Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021. ↩