IcedID (also known as BokBot) is a highly sophisticated, modular Banking Trojan and Initial Access Broker (IAB) malware. Initially discovered in 2017 targeting financial information via web injection, it has evolved into a formidable initial access vector for ransomware syndicates. Its primary function today is to establish a stealthy foothold within a corporate network, steal domain credentials, and facilitate the deployment of catastrophic secondary payloads like Egregor or REvil ransomware.
Infection Vector and Technical Capabilities
IcedID is typically distributed via high-volume malspam campaigns utilizing malicious Office documents (macros) or heavily obfuscated JavaScript files. It is also frequently dropped as a secondary payload by other prevalent loaders like Emotet or TrickBot.
Its technical sophistication rivals state-sponsored tools:
Web Injection (Man-in-the-Browser): Its legacy capability involves intercepting web traffic to inject fraudulent fields into legitimate banking portals, bypassing HTTPS and 2FA to steal credentials and initiate unauthorized wire transfers.
Advanced Evasion and Steganography: IcedID employs highly complex evasion techniques. It often downloads its core malicious module hidden within an innocent-looking image file (steganography) to bypass network intrusion detection systems (NIDS).
Lateral Movement and Ransomware Deployment: Once active, it maps the Active Directory environment, dumps credentials (via Mimikatz modules), and attempts to move laterally to the Domain Controller. Once the network is fully compromised, the "access" is sold to a ransomware cartel for final deployment.
Threat Assessment
An IcedID detection is an enterprise crisis. It is a Tier-1 threat indicating that the organization has been breached by highly capable cybercriminals. If not contained immediately, a full-scale, network-wide ransomware deployment is highly probable within days or hours.
Incident Response and Remediation
Declare a Major Incident: Immediately engage specialized third-party Incident Response (IR) teams. Isolate the affected endpoints immediately, but do not turn them off, to preserve memory forensics.
Active Directory Lockdown: The immediate threat is lateral movement. Hunt for anomalous admin logins, reset krbtgt account passwords (twice), and scrutinize Domain Admin account activity.
Enterprise-Wide Eradication: Remediating IcedID requires a coordinated network-wide effort to identify all compromised hosts, sever all C2 connections, and rebuild affected machines from known-good baselines.
Known aliases
Threat reports may refer to this family under multiple names:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.