{
	"id": "7a179088-6127-45f4-be54-0556d73f5c5a",
	"created_at": "2026-04-06T00:13:16.782599Z",
	"updated_at": "2026-04-10T13:11:40.611891Z",
	"deleted_at": null,
	"sha1_hash": "84a6856ed0eded10e39830505eb5f1d399ef20c4",
	"title": "IcedID Banking Trojan returns with new TTPS – Detection \u0026 Response - Security Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 213598,
	"plain_text": "IcedID Banking Trojan returns with new TTPS – Detection \u0026\r\nResponse - Security Investigation\r\nBy BalaGanesh\r\nPublished: 2022-06-24 · Archived: 2026-04-05 16:13:53 UTC\r\nMalware researchers have noticed that the ever-evolving banking trojan IcedID is back again with a phishing\r\ncampaign. In this campaign, malware abuses Google cloud and Google firebase to deliver phishing links.\r\nSecurity researcher ankit_anubhav has observed the malware sample. Phishing email with an email body\r\ncontaining “Please find document links” and the researcher says Pressing the “download” button loads another\r\ngoogle link (firebase) to download the actual zip, which contains an iso to launch payload.\r\nSource: https://twitter.com/ankit_anubhav\r\nhttps://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/\r\nPage 1 of 5\n\nSource: https://twitter.com/ankit_anubhav\r\nThe use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in the execution of\r\nthe malware without warning to the user.\r\nOnce zip files are executed, Malware creates a new shell “C:\\Windows\\system32\\cmd.exe” and executes the\r\ncommand cmd /c \"C:\\Users\\Admin\\AppData\\Local\\Temp\\document 2.iso\" . Windows default disc burner\r\n“isoburn.exe” is utilized “C:\\Windows\\System32\\isoburn.exe” “C:\\Users\\Admin\\AppData\\Local\\Temp\\document\r\n2.iso” to execute these ISO files.\r\nThe infected machine downloads a new file in the directory “C:\\Users\\Admin\\Downloads\\PowerISO8.exe” and\r\nsome DLLs are installed using Regsvr32 utility.\r\nBut the attacker has already executed the ISO with windows default disk burner, this PowerIS08.exe download\r\nactivity looks something suspicious like threat actors want a backup of alternate ISO software to execute\r\nmalicious files.\r\nhttps://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/\r\nPage 2 of 5\n\nInfected machines connect with C2 bredofenction[.]com and use a man-in-the-browser attack to steal financial\r\ninformation, including login credentials for online banking sessions.\r\nIndicator of compromise:\r\nFile:\r\nhttps://www.virustotal.com/gui/file/7354552c28ad25c6c83e84f1ef7da0a8a53dc9ba8177416c1f4be229130505b5\r\nStage 1 html https://storage.googleapis[.]com/rj66f513.appspot.com/o/Bx9PomC.htm#\r\nStag 2 link https[:]//firebasestorage.googleapis[.]com/v0/b/causal-tracker-354112.appspot.com/o/q4DLC3Kw3k%2Fdocument.zip?alt=media\u0026token=70ade0dd-fc8b-4044-bf3b-f9912d9c9bfe\r\nC2s\r\nbredofenction[.]com\r\naniogarphianeo[.]com\r\ncarbrownleger[.]com\r\nIntel source: ankit_anubhav / Mikhail Kasimov\r\nDetection \u0026 Response:\r\nQradar:\r\nSELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and\r\nSplunk:\r\n((CommandLine=\"*cmd /c*\" AND CommandLine=\"*\\\\AppData\\\\Local\\\\*\" AND CommandLine=\"*.iso*\" AND CommandLine=\"*C:\\\\\r\nElasticQuery:\r\n((process.command_line:*cmd\\ \\/c* AND process.command_line:*\\\\AppData\\\\Local\\\\* AND process.command_line:*.iso*\r\nCrowstike:\r\n((((ImageFileName=\"*\\\\cmd.exe\") AND (CommandLine=\"*cmd /c*\" OR CommandHistory=\"*cmd /c*\") AND (CommandLine=\"*\\\\\r\nFireEye:\r\nhttps://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/\r\nPage 3 of 5\n\n(metaclass:`windows` ((args:`cmd /c` args:`\\AppData\\Local\\\\` args:`.iso` args:`C:\\Users\\\\` (process:`*\\cmd.exe`\r\nGrayLog:\r\n((CommandLine.keyword:*cmd\\ \\/c* AND CommandLine.keyword:*\\\\AppData\\\\Local\\\\* AND CommandLine.keyword:*.iso* AN\r\nLogpoint:\r\n((CommandLine=\"*cmd /c*\" CommandLine=\"*\\\\AppData\\\\Local\\\\*\" CommandLine=\"*.iso*\" CommandLine=\"*C:\\\\Users\\\\*\" (I\r\nMicrosoft Defender:\r\nDeviceProcessEvents | where ((ProcessCommandLine contains \"cmd /c\" and ProcessCommandLine contains @\"\\AppData\\L\r\nMicrosoft Sentinel:\r\nSecurityEvent | where EventID == 4688 | where ((CommandLine contains 'cmd /c' and CommandLine contains @'\\AppD\r\nGoogle Chronicle:\r\n((target.process.command_line = /.*cmd \\/c.*/ and target.process.command_line = /.*\\\\AppData\\\\Local.*/ and targ\r\nRSA Netwitness:\r\n(((CommandLine contains 'cmd /c') \u0026\u0026 (CommandLine contains 'AppData\\Local\\\\') \u0026\u0026 (CommandLine contains '.iso')\r\nSumologic:\r\n(_sourceCategory=*windows* AND (((CommandLine=\"*cmd /c*\" AND CommandLine=\"*\\AppData\\Local\\\\*\" AND CommandLine=\"\r\nCarbonBlack:\r\n((process_cmdline:*cmd\\ \\/c* AND process_cmdline:*\\\\AppData\\\\Local\\\\* AND process_cmdline:*.iso* AND process_cm\r\nAws Opensearch:\r\n((process.command_line:*cmd\\ \\/c* AND process.command_line:*\\\\AppData\\\\Local\\\\* AND process.command_line:*.iso*\r\nArcsight:\r\nhttps://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/\r\nPage 4 of 5\n\n(((((((deviceProcessName CONTAINS \"*\\\\cmd.exe\" OR destinationProcessName CONTAINS \"*\\\\cmd.exe\" OR sourceProcess\r\nSource: https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/\r\nhttps://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/"
	],
	"report_names": [
		"icedid-banking-trojan-returns-with-new-ttps-detection-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84a6856ed0eded10e39830505eb5f1d399ef20c4.pdf",
		"text": "https://archive.orkl.eu/84a6856ed0eded10e39830505eb5f1d399ef20c4.txt",
		"img": "https://archive.orkl.eu/84a6856ed0eded10e39830505eb5f1d399ef20c4.jpg"
	}
}