⚠️ Overview

IcedID (also known as BokBot) is a modular banking trojan and downloader first observed in 2017 by IBM X-Force. It is operated by the criminal group TA551 (also tracked as UNC1878) and distributed primarily via phishing campaigns. IcedID acts as a loader for next-stage payloads such as Ransomware (e.g., Conti, Ryuk) and information stealers, categorized as a Trojan-Downloader and Banking Trojan under MITRE ATT&CK ID S0483.

🔧 Technical Capabilities

IcedID propagates through malicious email attachments (e.g., Excel documents with macros or ISO files) and leverages HTTPS-based C2 communication with encrypted JSON payloads. It uses dynamic link libraries (DLLs) loaded via regsvr32 for persistence and employs web-injects to steal banking credentials. Evasion techniques include code obfuscation, AMSI bypass, and process hollowing (MITRE T1055.012). IcedID’s C2 infrastructure relies on domain generation algorithms (DGAs) and fast-flux DNS to avoid takedowns. It also contains VNC proxy functionality (MITRE T1090) for lateral movement within networks.

📜 History & Notable Incidents

First reported in September 2017, IcedID was linked to the BokBot campaigns targeting European banks. In 2020, it was used as a precursor to Ryuk ransomware incidents at U.S. hospitals (e.g., Universal Health Services). Law enforcement actions include the Operation Endgame takedown in May 2024 that disrupted IcedID C2 servers (Europol report). No specific CVEs are associated with IcedID itself, but it exploits CVE-2021-40444 (MSHTML) and CVE-2023-36884 for initial access in recent campaigns (Microsoft threat Intelligence).

🔍 Detection Indicators

Known file hashes include SHA-256: 4c14a6e9b8f0c7e1d2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 (sample from VirusTotal). Behavioral signatures: creates %AppData%MicrosoftCertificate directory, writes uuid.dat and config.ini. Network IOCs include User-Agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36” and C2 domains ending in “.support” or “.digital”. Registry persistence via HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value “IcedID”.

☠️ Risk & Impact

IcedID causes data exfiltration of financial credentials, email logs, and browser cookies, leading to ransomware deployment and average losses of $2.5 million per incident (IBM X-Force 2023 report). Affected sectors include healthcare, finance, manufacturing, and government in North America and Europe. The malware’s modular nature enables follow-on extortion via data theft.

🛡️ Mitigation

Recommended measures include enabling macro-blocking in Office applications, deploying EDR tools with behavioral detection rules (e.g., Sigma rule for regsvr32 loading DLLs), and applying Microsoft’s August 2023 patches for CVE-2023-36884. CISA’s #StopRansomware Guide (2024) advises network segmentation and multi-factor authentication to limit lateral movement.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.