ICEDID, also known as BokBot, is a modular banking malware designed to steal financial information. It is first discovered around 2017 and observed in the wild being downloaded as a second stage payload from EMOTET campaigns. It is capable of propagation over the network, monitor activities from the infected system and exfiltration of data. It conducts a man-in-the-browser attack such as web-injection, proxy setup and redirection. It continuously evolves to increase persistence and detection evasion.
In recent malspam campaigns, a cybercriminal threat group called Shathak or TA551 distributed the malware. The malspam has a password protected ZIP attachment that appears to contain a request document. Extracted from the ZIP file is a Word document containing malicious macros. It uses social engineering attempt to trick the user to enable the macros. It will download the ICEDID loader as a DLL file with a different extension such as .tmp or .pdf. It connects to the C&C server to download a PNG file that contains encrypted data of the ICEDID malware. The loader will decrypt the data and inject the malware in an instance of svchost.exe.
Behaviour
- Has anti-debugging and anti-VM checks
- Hides encrypted payload in PNG files (steganography)
- Modification of code injection tactics
- Stealth and fileless operation
Capabilities
- Information Theft
- Propagation
Impact
- Financial loss - steals banking information
- Violation of user privacy - gathers user credentials on various applications
- Regional Impact (October 1, 2020 - November 17, 2020)
REGION EUROPE JAPAN AMERICAS APAC N-ASIA AMEA CUSTOMER CASE COUNT 10 131 2 - - - REGION EMEA JAPAN NABU LAR APAC SPN VSAPI FEEDBACK 507 413 608 4 141
Additional Threat Reference Information
- Threat Encyclopedia: Trojan.W97M.ICEDID.FAID
- Security News: IcedID Banking Trojan Targets US Financial Institutions
Sample Spam
Sample Attachment
Infection Chain
MITRE ATT&CK Matrix
| BEHAVIOR | TACTIC | TECHNIQUE |
|---|---|---|
| Mail arrives with a password protected ZIP file | Initial Access | T1566.001 Phishing: Spearphishing Attachment |
| User is lured to extract the Word document and enable macro | Execution Defense Evasion | T1204.002 User Execution: Malicious File T1059.005 Command and Scripting Interpreter: Visual Basic T1027 Obfuscated Files or Information |
| Executes an embedded JS script from a dropped HTML file via dropped copy of mshta.exe | Execution | T1218.005 Signed Binary Proxy Execution: Mshta |
| Downloaded malicious DLL file is executed via regsvr32.exe | Defense Evasion | T1218.010 Signed Binary Proxy Execution: Regsvr32 |
| Connects to C&C | Command and Control | T1071.001 Application Layer Protocol: Web Protocols |
| Downloads PNG files with encoded data to be used to create the ICEDID payload | Defense Evasion Execution | T1027.002 Obfuscated Files or Information: Software Packing T1027.003 Obfuscated Files or Information: Steganography T1055.001 Process Injection: Dynamic-link Library Injection T1106 Native API |
| Adds scheduled task | Persistence | T1053.005 Scheduled Task/Job: Scheduled Task |
| Steal financial information and data stored in a web browser | Discovery Collection | T1040 Network Sniffing T1069 Permission Groups Discovery T1082 System Information Discovery T1087.002 Account Discovery: Domain Account T1185 Man in the Browser T1560 Archive Collected Data |
| Send stolen information to C&C | Exfiltration | T1041 Exfiltration Over C2 Channel |
| Able to download additional components or payload | Command and Control | T1105 Ingress Tool Transfer |
Available Solutions
| Solution Modules | Solution Available | Pattern Branch | Release Date | Detection/Policy/Rules |
|---|---|---|---|---|
| Email Protection | Yes | AS Pattern 5796 | November 17, 2020 | - |
| URL Protection | Yes | In the Cloud | - | - |
| Advanced Threat Scan Engine (ATSE) | Yes | 16.361.00 | November 20, 2020 | < same as VSAPI > |
| Predictive Learning (TrendX) | Yes | In the Cloud | - | Downloader.VBA.TRX.XXVBAF01FF011 Downloader.VBA.TRX.XXVBAF01FF009 Downloader.VBA.TRX.XXVBAF01FF010 Troj.Win32.TRX.XXPE50FFF037 Troj.Win32.TRX.XXPE50FFF038 TSPY.Win32.TRX.XXPE50FFF037E0002 |
| File detection (VSAPI) | Yes | ENT OPR 16.361.00 | November 20, 2020 | Trojan.HTML.ICEDID.VWFZ Trojan.W97M.ICEDID.SMAC Trojan.W97M.ICEDID.SMCET Trojan.W97M.ICEDID.SMTH Trojan.W97M.ICEDID.SM Trojan.W97M.ICEDID.SMA Trojan.W97M.ICEDID.AR Trojan.W97M.ICEDID.FAIX Trojan.W97M.ICEDID.GAAA Trojan.Win32.ICEDID.ENG Trojan.Win32.ICEDID.FAIM Trojan.Win32.ICEDID.THJOCBO TrojanSpy.Win32.ICEDID.BP TrojanSpy.Win32.ICEDID.FAIX |
| Network Pattern | Yes | - | - | TROJ_GEN.R011C0PJA20 - HTTP (Response) |
| Behavioral Monitoring (AEGIS) | Yes | TMTD OPR 2191 | - | ARV4483T (document) |
