IcedID
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
IcedID can query LDAP and can use built-in `net` commands to identify additional users on the network to infect.(Citation: IBM IcedID November 2017)(Citation: DFIR_Quantum_Ransomware) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
IcedID has used HTTPS in communications with C2.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
IcedID has established persistence by creating a Registry run key.(Citation: IBM IcedID November 2017) |
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
IcedID has used obfuscated VBA string expressions.(Citation: Juniper IcedID June 2020) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
IcedID has used SSL and TLS in communications with C2.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020) |
| Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
IcedID has exfiltrated collected data via HTTPS.(Citation: DFIR_Sodinokibi_Ransomware) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
IcedID has modified legitimate .dll files to include malicious code.(Citation: Trendmicro_IcedID) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
IcedID has packed and encrypted its loader module.(Citation: Juniper IcedID June 2020) |
| .003 | Obfuscated Files or Information: Steganography |
IcedID has embedded binaries within RC4 encrypted .png files.(Citation: Juniper IcedID June 2020) |
||
| .009 | Obfuscated Files or Information: Embedded Payloads |
IcedID has embedded malicious functionality in a legitimate DLL file.(Citation: Trendmicro_IcedID) |
||
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
IcedID has utilzed encrypted binaries and base64 encoded strings.(Citation: Juniper IcedID June 2020) |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
IcedID has been delivered via phishing e-mails with malicious attachments.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Sodinokibi_Ransomware) |
| Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
IcedID has used |
| .012 | Process Injection: Process Hollowing |
IcedID can inject a Cobalt Strike beacon into cmd.exe via process hallowing.(Citation: DFIR_Quantum_Ransomware) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
IcedID has created a scheduled task to establish persistence.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
IcedID can identify AV products on an infected host using the following command: ` WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List`.(Citation: DFIR_Sodinokibi_Ransomware)(Citation: DFIR_Quantum_Ransomware) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. (Citation: Juniper IcedID June 2020) IcedID has also used msiexec.exe to deploy the IcedID loader.(Citation: Trendmicro_IcedID) |
| .011 | System Binary Proxy Execution: Rundll32 |
IcedID has used rundll32.exe to execute the IcedID loader.(Citation: Trendmicro_IcedID)(Citation: DFIR_Quantum_Ransomware) |
||
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
IcedID used the following command to check the country/language of the active console: ` cmd.exe /c chcp >&2`.(Citation: DFIR_Quantum_Ransomware) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
IcedID has been executed through Word and Excel files with malicious embedded macros and through ISO and LNK files that execute the malicious DLL.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0127 | TA551 |
(Citation: Cybereason Valak May 2020) (Citation: Unit 42 Valak July 2020) (Citation: Unit 42 TA551 Jan 2021) (Citation: Secureworks GOLD CABIN) |
|
(Citation: TrendMicro Pikabot 2024) |
||
| G1038 | TA578 |
(Citation: Latrodectus APR 2024) |
References
- Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
- DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
- DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
- Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.