IcedID

Overview

IcedID (also known as BokBot) started as a banking trojan but has evolved into a sophisticated malware loader. It is commonly used as an initial access broker, providing access to compromised networks for ransomware operators. IcedID is frequently distributed through malspam campaigns and has strong ties to ransomware groups.

Also Known As

BokBot, IcedID Loader

How It Spreads

• • Malicious email attachments (Office docs, ISO files)
• • Stolen email thread hijacking
• • Malicious Google Ads
• • Contact form spam campaigns
• • Compromised websites with fake updates

What It Does

• • Establishes persistent access to victim network
• • Steals banking and financial credentials
• • Provides remote access for ransomware operators
• • Collects system and network information
• • Downloads and executes additional payloads
• • Moves laterally using stolen credentials

Target Platforms

Windows 10, Windows 11

Detection Tips

• • Monitor for regsvr32 executing DLLs from temp folders
• • Alert on scheduled tasks with Base64-encoded commands
• • Detect msiexec downloading from suspicious URLs
• • Watch for web injection attempts in browser processes
• • Monitor for unusual WMI process creation

MITRE ATT&CK Techniques

T1566.001, T1185, T1055, T1069, T1021.006