{
	"id": "cc517b2e-45bf-4a9e-a327-9324f5aa9cce",
	"created_at": "2026-04-06T00:18:17.949008Z",
	"updated_at": "2026-04-10T03:20:35.745365Z",
	"deleted_at": null,
	"sha1_hash": "b3b5f93e87f6c02e090dd76b2ca511983bf0c991",
	"title": "IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 284653,
	"plain_text": "IcedID Banking Trojan Teams up with Ursnif/Dreambot for\r\nDistribution\r\nBy William Largent\r\nPublished: 2018-04-10 · Archived: 2026-04-05 12:49:45 UTC\r\nTuesday, April 10, 2018 16:12\r\nUpdate: 4/11 we have corrected the detection to Ursnif/Dreambot\r\nThis post was authored by Ross Gibb with research contributions from Daphne Galme, and Michael Gorelik of\r\nMorphisec, a Cisco Security Technical Alliance partner.\r\nCisco has noticed an increase in infections by the banking trojan IcedID through our Advanced Malware\r\nProtection (AMP) system. Security researchers first reported a new banking Trojan known as \"IcedID\" [1] in\r\nNovember 2017. At the time of discovery, IcedID was being distributed by Emotet, another well-known banking\r\ntrojan malware. In late February and throughout March 2018, we noticed an increase in infections from IcedID\r\nbeing detected throughout the AMP ecosystem. Like in November 2017, some of the infections could be traced to\r\nEmotet, but this time, many detections could instead be traced to emails with attached malicious Microsoft Word\r\ndocuments containing macros. When the malicious documents are opened and the macros are enabled,\r\nUrsnif/Dreambot, another trojan, would be downloaded and executed, which subsequently downloads IcedID. In\r\naddition to Ursnif/Dreambot, many of the samples downloaded a second payload, a Bytecoin miner (Bytecoin is a\r\ncrypto currency similar to bitcoin).\r\nUrsnif/Dreambot is financially motivated malware that is known to download and install additional modules, or\r\nother malware families. This Ursnif/Dreambot/IcedID attack was interesting for two reasons:\r\nhttps://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nPage 1 of 7\n\n1. The targeted nature of the emails that use spear-phishing techniques to entice victims into opening the\r\nmalicious Microsoft Word documents.\r\n2. The minimalist code injection technique used by IcedID that improves on existing code injection\r\ntechniques, and is harder to detect.\r\nFigure 1: Malicious document that installs Ursnif/Dreambot and IcedID banker attached to spear-phishing emails\r\nUse of spear-phishing emails\r\nAt first, this attack appeared to be similar to the countless malicious Microsoft Word documents with macros that\r\nCisco blocks every day. In this case, when the documents are opened, users are enticed to enable macros in order\r\nto view the content. If the user enables macros within the document, an auto-close macro is triggered when the\r\nuser closes the document that executes mshta.exe (a built-in Windows component) to download and execute a\r\nremote script. The remote script launches two instances of PowerShell to download and execute the\r\nUrsnif/Dreambot/IcedID and Bytecoin miner payloads.\r\nThis attack became more interesting when the targeted nature of the emails and the file names of email\r\nattachments were investigated.\r\nWidely distributed malware families that spread over email (like Ursnif/Dreambot) generally send out their\r\nmalicious messages in high volume. Most end-user security training programs center around helping users identify\r\nthese kinds of emails, and to be suspicious of any unexpected emails. An attacker sending emails in large volumes\r\nhas typically chosen email content that applies to a wide range of different recipients, but will not immediately be\r\nviewed as suspicious. For example, attackers have recently been using email content such as job applications with\r\nattached resumes, shipment delivery notifications with attached tracking information, or notices for payment with\r\nattached invoices. In contrast, spear-phishing attacks use emails that are much more targeted at the recipient, and\r\ncontain information familiar to the recipient. Previously, spear-phishing was primarily used by advanced persistent\r\nthreat (APT) actors who had specific targets.\r\nUrsnif/Dreambot/IcedID is a clear example of the evolution of spear-phishing from exclusive use by APT actors,\r\nto use by malware families with wide distribution. For example, one of the Ursnif/Dreambot distribution emails\r\nhttps://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nPage 2 of 7\n\nhad the following features:\r\nThe email was sent to an employee of a city in the state of Arkansas.\r\nThe email's subject referenced a meeting relevant to city business.\r\nThe email's body referenced and discussed the meeting, as well as containing names of employees that\r\nwork at the city.\r\nThe name of the document attached to the email included the name of a civil engineering company local to\r\nArkansas.\r\nA similar example to the one above was found in a malicious email received by an electrical company in Raleigh,\r\nNorth Carolina. The file name of the attached document included the name of an engineering company also local\r\nto North Carolina.\r\nNot all examples were as highly targeted to a specific business, but rather targeted users in a similar industry. For\r\nexample, users with email addresses related to the automotive industry received emails with an attachment file\r\nname that referenced the name of a car dealership in Dallas, Texas.\r\nThe use of spear-phishing techniques to create emails containing references to people or businesses that the\r\nrecipient is familiar with makes it more likely that the user will open the attachment and enable the macros within.\r\nSince spear-phishing emails require the attacker to create emails for each target, there is a higher cost to the\r\nattacker to launch this kind of attack, but will pay off if the attacker invests the time necessary.\r\nMinimalist code injection\r\nOnce launched, IcedID takes advantage of an interesting technique to inject malicious code into svchost.exe — it\r\ndoes not require starting the target process in a suspended state, and is achieved by only using the following\r\nfunctions:\r\nkernel32!CreateProcessA\r\nntdll!ZwAllocateVirtualMemory\r\nntdll!ZwProtectVirtualMemory\r\nntdll!ZwWriteVirtualMemory\r\nIcedID's code injection into svchost.exe works as follows:\r\n1. In the memory space of the IcedID process, the function ntdll!ZwCreateUserProcess is hooked.\r\n2. The function kernel32!CreateProcessA is called to launch svchost.exe and the CREATE_SUSPENDED\r\nflag is not set.\r\n3. The hook onntdll!ZwCreateUserProcess is hit as a result of calling kernel32!CreateProcessA. The hook is\r\nthen removed, and the actual function call to ntdll!ZwCreateUserProcess is made.\r\n4. At this point, the malicious process is still in the hook, the svchost.exe process has been loaded into\r\nmemory by the operating system, but the main thread of svchost.exe has not yet started.\r\n5. The call to ntdll!ZwCreateUserProcess returns the process handle for svchost.exe. Using the process\r\nhandle, the functions ntdll!NtAllocateVirtualMemory and ntdll!ZwWriteVirtualMemory can be used to\r\nwrite malicious code to the svchost.exe memory space.\r\nhttps://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nPage 3 of 7\n\n6. In the svchost.exe memory space, the call to ntdll!RtlExitUserProcess is hooked to jump to the malicious\r\ncode already written\r\n7. The malicious function returns, which continues the code initiated by the call tokernel32!CreateProcessA,\r\nand the main thread of svchost.exe will be scheduled to run by the operating system.\r\n8. The malicious process ends.\r\nSince svchost.exe has been called with no arguments, it would normally immediately shut down because there is\r\nno service to launch. However, as part of its shutdown, it will call ntdll!RtlExitUserProcess, which hits the\r\nmalicious hook, and the malicious code will take over at this point.  https://alln-extcloud-storage.cisco.com/ciscoblogs/5ac52bebc03d1.mp4  Video: Identifying and analyzing IcedID’s minimalist injection\r\ntechnique (6:04)\r\nMalware authors are constantly looking for more surreptitious ways to inject code into benign processes. Process\r\ndoppelganging, a fileless code injection technique, [2] and atom bombing, a technique which uses atom tables for\r\nwriting into memory of another process, [3] are examples of completely new classes of code injection techniques\r\nmalware authors have recently found and leveraged. The minimalist process injection technique used by IcedID is\r\nan evolution of existing process injection techniques [4], rather than an entirely new class of technique.\r\nMinimalist code injection does offer the following improvements over known techniques:\r\nRequires only four Windows API calls to achieve code injection.\r\nDoes not require the created process to be created in a suspended state.\r\nDoes not require new threads to be created in the target process.\r\nUsing fewer functions and less suspicious process-creation flags makes this minimalist code injection technique\r\nmore difficult for security solutions to detect.\r\nDetection\r\nCisco AMP for Endpoints' new exploit prevention engine offers protection against both Ursnif/Dreambot and\r\nIcedID. While neither Ursnif/Dreambot nor IcedID contain actual exploits, both are detected and blocked by the\r\nAMP exploit prevention engine because of suspicious access to memory that each performs. In the case of\r\nUrsnif/Dreambot, memory manipulation done by its unpacking routine is detected. In the case of IcedID, when it\r\nperforms the minimalist memory injection technique, it is detected when it attempts to place the hook on the\r\nntdll!ZwCreateUserProcess function.\r\nConclusion\r\nThe use of spear-phishing emails targeted at specific organizations and industries by Ursnif/Dreambot/IcedID\r\nshow that widely distributed malware families are adapting to an environment of improved defenses. As detection\r\nmethods improve, and users become more skilled at identifying suspicious emails, attackers who could once send\r\nthe same malicious email to all their targets are having to improve their techniques. But the use of the minimalist\r\ncode injection technique by IcedID shows that attackers are changing their techniques post-infection to better hide\r\nand remain on systems that older injection techniques would likely have been detected on.\r\nhttps://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nPage 4 of 7\n\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nMalicious Document\r\nb0457ecdcc1940850af6d858e2f2e91e555a71f250f53b7ba9d4434a81810032\r\nUrsnif/Dreambot\r\n5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed\r\nIcedID\r\nhttps://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nPage 5 of 7\n\nUnpacked IcedID binary demonstrating injection\r\nd5164e296c7e7a0c3b2a9e34f07bebcdd0ab7df9ab63ca7dffac6d65e60b0b25\r\n(see hook on ntdll!ZwCreateUserProcess at 0x4016a6)\r\nAdditional IcedID binaries\r\n0bd92149834e083320bc5a51f21ac768e26a115c0d589aae22d56ce4c5cf2330\r\n0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e\r\n0ea7f227bcbc0b7cd9d1d951a8dfde56f8d18989e4f4c2b0290246e282a14842\r\n107f44919999afc3ddf9c8d1e552ca8463c71ac53fbeaf62ab7de80aba796e15\r\n1f8b4e2ef4c318625447884156be50691555e409242252e504ab15ade5bba4d8\r\n24bde557761930ec48a6573c2f7f538be784652e7c55224ba474e443bd1d8c55\r\n4c851e40390df6021c8396c9141d50b52d2dc027586a2edb5f682707987adfad\r\n64f3abc5b0b65cd4bca68b3200cf2d645d3557fbc6dfe36a127734c3ce436860\r\n693599aa847dece5b5cfcca5d545fe5f3f87e5acd10ed807e731741ee306ab4c\r\n70e2782079e95e312d7e2de69a6ac0f56874caaf021e1e3f45750f62b7d386ff\r\n7700fe76b40bc4a0f1b93ae32b9f34c595ef0e2886632e26ebf5f43be1aea63c\r\n7c89b72451f7361cc3f120d0c38287fe5acc9f6e8210279cfe09318d6fe92869\r\n8408fd2fab0b7fce952d6338164040eeb5ae910cbf355ea41f798e04998507bc\r\n84a664fd2ca39c0a7258bed6f8d3e707bcf6c597bb4f94401940b4e005578dae\r\n84ecae42c9c88ae5c2bdf51d546421b02d06bcf57b48b2abafdbd38d81bacfa8\r\n8ce7889ca54f6c480ee3534fbeb2383779583e258b1e4ac5b851b578a40bc31f\r\n9426acf9edf6479374905b743ab0a550183c2b1869af1a8da2bb69a25e2cad1e\r\n995de239c8160435f50675d42a20cf773e6a3e10c8812f4d680114170e07f914\r\n9b5930266d5494553f3801d62d7ef20dc866fadda0ee654da85e01042aa91338\r\na5779442a31d66407cec78d1d58832a847d5929587cb22b8ad7459f4a28deeef\r\na88f9196456011043bd404377146f7443550a6f11a08fcfac29a55273bd75509\r\nda1e9b6766b9a6445c77ac522a73cc763be2f2500fb1ed8af63e2c47e0f884fb\r\ne899b27d0e241914cba36c43dfb686bf008237d10beff9114f9aad04b7c919de\r\ned578c318be8a671b4b3d23db9b3fc4bd031befe490543d60e6bcf0759fc51c5\r\nffc7479a186f1101a9e7800d8830d235ba6797dc293ade57864f2db26fa58c0f\r\nNetwork\r\nefoijowufjaowudawd[.]com\r\n86.123.64.43\r\nScheduled task\r\nThe existence of a scheduled task at:\r\nC:\\Windows\\System32\\Tasks\\Update\r\nThe \"Exec\" action within the scheduled task will take the command line argument \"/i\" and the path of the\r\nexecutable will be in the APPDATA directory. For example,\r\nhttps://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nPage 6 of 7\n\n\u003cExec\u003e\r\n\u003cCommand\u003e\"C:\\Users\\Administrator\\AppData\\Local\\Microsoft Help\\\\restewbes.exe\"\u003c/Command\u003e\r\n\u003cArguments\u003e/i\u003c/Arguments\u003e\r\n\u003c/Exec\u003e\r\nReferences\r\n[1] https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/\r\n[2] https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf\r\n[3] https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows\r\n[4] https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\r\nSource: https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nhttps://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
	],
	"report_names": [
		"icedid-banking-trojan.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434697,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3b5f93e87f6c02e090dd76b2ca511983bf0c991.pdf",
		"text": "https://archive.orkl.eu/b3b5f93e87f6c02e090dd76b2ca511983bf0c991.txt",
		"img": "https://archive.orkl.eu/b3b5f93e87f6c02e090dd76b2ca511983bf0c991.jpg"
	}
}