# IcedID Malware: Traversing Through its Various Incarnations

**[research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/](https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/)**

May 02, 2023

By System-41 Team

**Executive Summary**


May 2, 2023


IcedID, the notorious malware, is actively involved in several delivery campaigns,
demonstrating versatility and adaptability.
The latest IcedID variants indicate the malware’s continuous evolution, and the need
for robust cybersecurity measures.
Surging use of IcedID in order to deploy ransomware makes it a significant threat to
organizations worldwide.
IcedID stays true to its roots, employing consistent Tactics, Techniques, and
Procedures (TTPs) across various campaigns over the year.
Tidal Cyber’s visibility and features provide a better landscape for identifying and
understanding TTPs.
Osquery rules by Loginsoft published on Tidal Cyber’s platform will bolster your
organization’s security posture.

**Evolution & Variants**

Continuously active since its initial appearance, IcedID has no periods of dormancy. Using
various delivery mechanisms, and evolutionary strategies, IceID serves as an exemplary
model for other malware. Widely observed in countries like the United States, United
Kingdom and Canada, where the Threat Actors (TAs) not only targeted financial Institutions
but also ecommerce, payment, and telecommunication industries. In recent years, these
threat actors repurposed IcedID’s functionality, transforming it from a banking Trojan to a
ransomware detonator. As a result, many TAs added IcedID to their arsenal, while most TAs
still prefer the standard variant of the malware. The standard IcedID variant propagates
through emails with diverse attachments like html files, zip files, iso images and more.

In March of 2023, [Proofpoint reported the discovery of two new variations of IcedID.](https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid)
Detected in November 2022 as part of the Emotet malware campaign, the first novel variant
lacked certain features, making it lightweight and difficult to detect. The second new variant,
observed in February 2023, bore a strong resemblance to the standard edition, and mainly
[propagated through phishing emails with OneNote attachments.](https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/)

**Malware Progression**


-----

**[ICEDID CAMPAIGN – 2021](https://app.tidalcyber.com/share/8b7899cd-6e13-48b0-91b5-82f697d8141a?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)**

_Figure: IcedID 2021 Distribution Chain_
Our observations reveal that TA551 employed several tactics to distribute malicious payloads
via email, including office files with malicious macros. Another variant of this campaign used
an archived JavaScript file that downloads the IcedID DLL, and masquerades with .jpg or
.png extension to evade detection. The execution of the IcedID DLL, accomplished by
executing Rundll32 LOLBin with an uncommon DllRegisterServer parameter, establishes
communication with the attacker’s command and control (C2) server.

**[ICEDID CAMPAIGN – 2022](https://app.tidalcyber.com/share/64337eee-bfaa-4411-b862-55e508f6d3be?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)**


-----

_Figure: IcedID 2022 Distribution Chain_
TAs began disseminating malware through ISO files sent via email. Once clicked, the
shortcut file executes the IcedID payload using regsvr32 or rundll32 LOLBin, bypassing
MoTW flag. Upon execution of the IcedID DLL, the malware performed discovery tasks
through Windows utilities like systeminfo, ipconfig, net, and nltest. A Cobalt Strike beacon
[was then deployed, and hands-on-keyboard activities were observed executing AdFind to](https://www.joeware.net/freetools/tools/adfind/)
[perform enumeration. IcedID obtained credentials by accessing LSASS memory, using the](https://app.tidalcyber.com/capability/cc5b3d24-4c00-54eb-9364-24354e6b39e4-Abnormal%20LSASS%20Child%20and%20Parent%20Process%20Relationships?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)
credentials to establish RDP connections within the network. Subsequently, the TAs initiated
a ransomware attack after gaining access to the compromised network.

Additionally, in the same year, the TAs spread IcedID malware via Google Ads by creating
fake software installer pages. Some variations of IcedID were also found to use Dark VNC as
a backdoor.

**[ICEDID CAMPAIGN – 2023](https://app.tidalcyber.com/share/8e3a3aaf-bbda-4e1b-83e4-447c0b1bd5be?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)**


-----

_Figure: IcedID 2023 Distribution Chain_
In 2023, TAs launched various IcedID malware distribution campaigns, but quickly
consolidated due to their common delivery method, phishing emails. Initially, emails
[contained ISO files as attachments, later the TAs switched to OneNote, and PDFs, to spread](https://app.tidalcyber.com/capability/7da10280-0b82-5727-97bf-ee236e879adb-OneNote%20Attachment%20File%20Dropped%20in%20Suspicious%20Location?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)
the malware.

The IcedID infection started when the user clicked on the malicious file, which then executed
[the IcedID DLL. In some cases, it created a scheduled task to run the malware. Once the](https://app.tidalcyber.com/capability/a5ff66c5-448c-59d3-b2cc-ef27549b8cee-Suspicious%20Scheduled%20Task%20Creation%20to%20execute%20LOLbins?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)
patient-zero machine was infected, the malware began enumerating to escalate privileges
and move laterally across the network. After gaining access to all the machines, including the
AD server, the threat actors detonated the ransomware.

Known cases where IcedID executed quantum ransomware, surprised many. Despite the
change in behaviour of the malware, from a banking trojan to a ransomware deployer using
many tactics, techniques and procedures (TTPs) were common.

**Visibility Through Tidal**

[For better visibility of all three campaigns, we used Tidal Cyber’s Community Edition to map](https://app.tidalcyber.com/?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)
the TTPs. Tidal Cyber is a defense platform utilizing threat intelligence to help cybersecurity
teams promptly, and effortlessly, identify and address potential security incidents. The


-----

platform incorporates osquery from Loginsoft, detecting security threats and allowing users
to research, and create, threat profiles. This results in Tidal Cyber enabling defenders to take
informed defensive measures by prioritizing relevant threats.

[The image below displays a matrix that covers the TTPs of the IcedID malware campaign](https://app.tidalcyber.com/share/63516261-6516-4a24-b28f-9d9e3976eb6b?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)
from the past three years.

_Figure: Tidal Cyber’s Navigation Layer_
Loginsoft uploaded osquery rules on the Tidal platform, which can be used to detect
[malicious activities based on TTPs. Access these rules here.](https://app.tidalcyber.com/products/6db010c7-203b-5eac-bff5-b3e82effdaa5-System-41?utm_campaign=CTI%20Content%202022-23&utm_source=loginsoft&utm_medium=blog)

## Osquery Rules To Detect IcedID Activity

Below are specific osquery rules to help defend against the malicious behaviours exhibited
by IcedID malware.

**Detects** **suspicious hidden files from the mounted drive**


-----

```
SELECT 

  atime, 

  btime, 

  ctime, 

  device, 

  directory, 

  path, 

  filename, 

  file_id,

  attributes

FROM file

JOIN (SELECT device_id FROM logical_drives where file_system = 'UDF') AS drives

ON directory LIKE device_id || '\%' 

AND 

( 

  path LIKE '%.dll' 

  OR path LIKE '%.bat' 

  OR path LIKE '%.cmd'  

  OR path LIKE '%.dat' 

) 

AND attributes LIKE '%H%';

```
**Detects** **the use of windows binary Regsvr32 making a network connection**
```
SELECT

 ps.name AS process_name,

 ps.pid AS process_id,

 ps.cmdline AS process_cmdline,

 pos.local_address AS local_address,

 pos.local_port AS local_port,

 pos.remote_address AS remote_address,

 pos.remote_port AS remote_port

FROM processes ps, process_open_sockets pos

WHERE ps.pid = pos.pid

AND LOWER(ps.name) = 'regsvr32.exe';


```
**Detects** **named pipes used by CobaltStrike**


-----

```
SELECT

 p.name as process_name,

 p.pid as process_pid,

 p.path as process_path,

 p.cmdline as process_cmdline,

 pipes.name as pipe_name,

 pipes.instances as pipe_instances,

 pipes.flags as pipe_flags

FROM processes p, pipes

WHERE p.pid = pipes.pid

AND

(

 LOWER(pipe_name) LIKE 'msagent_%'

 OR LOWER(pipe_name) LIKE 'interprocess_%'

 OR LOWER(pipe_name) LIKE 'sarpc_%'

 OR LOWER(pipe_name) LIKE 'samr_%'

 OR LOWER(pipe_name) LIKE 'netlogon_%'

 OR LOWER(pipe_name) LIKE 'wkssvc_%'

 OR LOWER(pipe_name) LIKE 'srvsvc_%'

 OR LOWER(pipe_name) LIKE 'mojo_%'

 OR LOWER(pipe_name) LIKE 'postex%'

 OR LOWER(pipe_name) LIKE 'status_%'

 OR LOWER(pipe_name) LIKE 'msse-%'

);

```
**Threat Bites**

**Threat Actor**

**Targeted Country**

**Targeted Industry**

**First Seen**

**Last Seen**

**LOLBAS**

**Backdoor**

**Telemetry**

**Samples**

:

:

:


-----

:

:

:

:

:

:

TA578, TA551, TA577, TA544, TA581, TA542

US, UK, Canada, Italy

Financial Institution, Ecommerce, Payment, Telecommunication

2017

2023

Rundll32, Regsvr32, Wmic

Dark VNC, Anubis VNC, Keyhole VNC

Sysmon, Security, Windefend, PowerShell

[https://bazaar.abuse.ch/browse/tag/IcedID/](https://bazaar.abuse.ch/browse/tag/IcedID/)

**References**


-----