Rewterz Threat Alert – IcedID banking Trojan

Rewterz Threat Alert – Remcos RAT – Active IOCs

August 16, 2022

Rewterz Threat Alert – APT29 Cozy Bear – Active IOCs

August 16, 2022

Rewterz Threat Alert – IcedID banking Trojan – Active IOCs

Severity

High

Analysis Summary

IcedID, aka BokBot – a banking trojan – first appeared in 2017. The threat actor behind IcedID is Lunar Spider. The main purpose of this trojan is to steal financial information but aside from this, it is also a passage for a RAT. Initially, it was delivered as a later-stage payload from multiple threats including Emotet, TrickBot, and Hancitor. Recently, it is observed that its threat actors are using several new techniques to avoid detection by the sandbox and endpoint security. This trojan has capabilities similar to Zeus, Dridex, and Gozi (financial threats). IcedID can download different additional modules and a configuration file from C2. It performs its task of stealing information by deploying a man-in-the-browser attack which assists in gaining banking credentials.

Impact

Financial Loss
Exposure of Sensitive Data

Indicators of Compromise

MD5

9303af8cf2384b61cd179320da53d88f
b58403b0f8b5e82d82066eb8a67a5fe8

SHA-256

64d002099ceefa7bcfc631c8eca3f5ffd650c7f758d11fbd94f4d0ef6e0f9c42
6942bdc3fef603f86e7c33e427668c15ea38401bb7a0fec693ac6bc8d9156021

SHA-1

b8e622fb390ecbb0b72d0ea983352270c6bd0dd7
1d00e5edf256f82fca21edd198cdc72179b237de

Remediation

Block all threat indicators at their respective controls.
Search for IOCs in your environment.