IcedID is a crimeware-as-a-service banking trojan that steals sensitive financial information by creating a local proxy to intercept all browsing traffic on an infected host. First appearing in the wild in late 2017, IcedID is believed to be the successor to the formerly prolific Vawtrak (aka Neverquest) trojan, which declined following the arrest of key developers in January 2017. IcedID has historically been delivered as a later-stage payload from a variety of notable threats, including Emotet, TrickBot, and Hancitor. In 2020, the primary initial access vector Red Canary observed delivering IcedID was TA551. Early in the year, we often saw IcedID as a tertiary payload after TA551 initially deployed Ursnif or Valak. However, by July the intermediary payloads ceased as TA551 opted to deliver IcedID directly. Since TA551 ranked as our most prevalent threat for 2020, it is no surprise that IcedID—its primary payload—also placed near the top of the list.
Installation and execution
After the installer DLL is executed, IcedID pulls down a configuration file from its command and control (C2) server. It then spawns an instance of a legitimate process and hooks multiple Windows APIs in order to hollow that process and inject into it. Throughout most of 2020,
msiexec.exe was the target of this process injection, although IcedID has used other processes, such as
svchost.exe, in the past.
Once execution has been achieved via the hollowed process, IcedID proceeds to establish persistence and act on objectives. IcedID achieves persistence in multiple ways, notably via downloading an additional binary (in EXE or DLL form) to the user’s local folder. We’ve observed a few different folders where the binary has been written, typically either in a subfolder of
AppData\Local. In some cases this subfolder has been named after the username of the infected user, and in others it appears to be a random string of characters. IcedID then sets that binary to run via scheduled tasks. Upon restart, this persistence mechanism will execute the process hollowing routine again to return control to the main backdoor.
The primary purpose of the main backdoor is to steal sensitive data—in particular, browsing data including banking information. This is accomplished by hooking the browser and establishing a local proxy complete with self-signed certificates to reroute all web traffic through the adversary-controlled process. This enables the adversary to not only monitor traffic of interest, but also to use web injects to harvest information when a user attempts to visit a site such as online banking. In addition to data theft, IcedID contains a VNC capability for remote access to the victim machine. Juniper Threat Labs and IBM X-Force have also covered IcedID’s capabilities and injection techniques.