IcedID
IcedID, also known as BokBot, is a prevalent banking trojan and loader/downloader malware family associated in the provided content with the Lunar Spider threat actor. It has been distributed by multiple threat actors and spam operations, including TA551, TA577, TA571, and TA2101, and has also been used in campaigns linked to Black Basta and infrastructure overlaps involving TA866 and ALPHV. The content describes delivery via phishing and malspam, including Microsoft Word and Excel documents with malicious macros, HTML smuggling, OneNote-themed research references, and ISO and LNK files that execute a malicious DLL. One cited campaign delivered IcedID through USPS-themed phishing emails heavily targeting the healthcare sector in the United States.
Behaviorally, the content states that IcedID can execute through malicious Office macros and ISO/LNK-delivered DLLs, use HTTPS for command-and-control communications, query LDAP, and use built-in net commands to identify additional users on the network to infect. In malware-analysis context, IcedID is described as using an unpacking flow in which VirtualProtect is called before VirtualAlloc, with shellcode-related execution characteristics including the byte sequence E8 00 00 00 00. It copies data with rep movsb and applies xor and ror operations plus additional in-memory copying to produce a clean PE second-stage downloader module. A fixed DLL naming convention was also noted, including loader_64_dll.dll.
The content further places IcedID in the broader dropper/loader ecosystem alongside malware such as Pikabot, SmokeLoader, Trickbot, Bumblebee, and SystemBC. Operation Endgame and related law-enforcement actions are described as having targeted IcedID infrastructure and servers. Additional references note that Proofpoint assessed Latrodectus was written by the same developers as IcedID based on code similarities. High-confidence indicators and artifacts directly mentioned in the content include the alias BokBot, the DLL name loader_64_dll.dll, and one C2-linked IP overlap reference: 109[.]236[.]80[.]191.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Groups observed using it
17 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA551, also known as Shathak or Gold Cabin, is an attacker group that is responsible for spreading a wide variety of malware families including IcedID, Valak, Ursnif and, more recently, BazarLoader.
IcedID aka Bokbot is also one of the most prevalent banking trojans in the last years. It is known to be associated with Lunar Spider threat actors.
TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
In addition, TA571 has been associated with the distribution of other malware families, including variants of IcedID, NetSupportRAT, DarkGate and others.
Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID.
Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
1 technique
Resource Development
As well as conning search engines to try and get their malicious sites near the top of search results, they can also pay for the privilege: buying paid ads so that their sites are guaranteed to appear prominently. This attack – known as ‘malvertising’ – is often aimed at users looking to download popular software applications.
Initial Access
3 techniques
Initial Access
The basic flow is as follows: An attacker sends a phishing email containing a .one file attachment.
Proofpoint researchers observed hundreds of emails attempting to deliver malicious Microsoft Word attachments with German lures impersonating the Bundeszentralamt fur Steuern... The lure states that a 2019 tax refund is due... and that the recipient should submit a refund request using an attached Microsoft Word document form.
Execution
6 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The Microsoft Word attachment, when opened, executes a Microsoft Office macro that, in turn, executes a PowerShell script, which downloads and installs the Maze ransomware payload onto the victim’s system.
The Microsoft Word attachment, when opened, executes a Microsoft Office macro that, in turn, executes a PowerShell script...
When a user searches for a related term and clicks through to the malicious site, the attackers check the Referer header to confirm the user has come from a search engine, and then entice them into downloading malware disguised as a legitimate software application.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
3 techniques
Persistence
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
By inspecting the “ lpAddress ” argument in VirtualProtect we’ll notice that it appears to deal with shellcode execution.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
7 techniques
Stealth
Then, we observe that the memory section is filled with obfuscated data... additional string fractures such as: “This program cannot run in DOS mode” and the word “PE”, will be revealed.
In malware, we often see threat actors that tend to obfuscate or encrypt their code in order to slow down the analysis of security researchers... many authors tend to use open-source packers but also craft their own custom packers.
Other campaigns have impersonated brands like Adobe, Gimp, Slack, Tor, and Thunderbird, in order to infect users with AuroraStealer, RedLine, Vidar, FormBook, and more.
Of particular note is the use of stolen branding as well as the use of lookalike .icu domains used for the sender email address in order to craft effective lures.
By inspecting the “ lpAddress ” argument in VirtualProtect we’ll notice that it appears to deal with shellcode execution.
At first glance, it seems this loop has characteristics we expect from traditional decryption\encryption routines, such as shr (shift right), xor , and rol (rotate left) opcodes... The loop changes the first bytes of the obfuscated content to “M8Z”, which starts to resemble the classic “MZ” string.
Defense Impairment
1 technique
Defense Impairment
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users. IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server. Sandworm Team has used a tool to query Active Directory using LDAP.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
AdFind can enumerate domain users. APT41 used built-in net commands to enumerate domain administrator users. BloodHound can collect information about domain users, including identification of domain admin accounts.
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
IOCs tracked for this family
109 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware family in the dropper/loader ecosystem referenced as a prior law-enforcement target.
Malware family whose infrastructure was targeted in prior Operation Endgame actions.
Named as one of the dropper networks disrupted during Operation Endgame.
Named malware operation explicitly mentioned as a prior Operation Endgame target.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.