IcedID (BokBot)

Posted: December 24, 2023
from Cybersecurity Glossary
Aliases:
IceID, BokBot
Platform:
Windows
Variants:
IcedID lite, Forked IcedID
Damage:
Stolen Financial Information, Redirection To Malicious Web Pages, Keylogging, Opening Backdoors For Other Malware (Like Ransomware)
Risk Level:
High

IcedID, a banking trojan, specializes in infiltrating Windows systems to harvest financial credentials. Upon deployment, it employs 'man-in-the-browser' tactics, injecting web content to acquire information directly or redirect victims to deceptive sites. Subsequently, it utilizes stolen login data to automatically drain funds from compromised accounts. Additionally, IcedID can facilitate the installation of other malware on the victim's device.

Possible symptoms

  • Unusual or unauthorized financial transactions
  • Unexpected redirection to fake banking websites
  • Abnormal system behavior, such as increased network traffic
  • Presence of unfamiliar processes or services in the task manager

Sources of the infection

  • Malicious email attachments and links, often delivered through phishing campaigns
  • Compromised or malicious websites hosting exploit kits
  • Drive-by downloads triggered by visiting compromised web pages
  • Exploitation of software vulnerabilities, especially in outdated or unpatched software
  • Infiltration through other malware or botnets already present on the system

Overview

IcedID, also known as BokBot, is a banking trojan with a primary focus on Windows PC. This malware is crafted to stealthily extract financial credentials, subsequently enabling unauthorized access to victim accounts for fund extraction.

The IcedID employs sophisticated 'man-in-the-browser' tactics upon deployment, injecting malicious content into web pages to directly capture sensitive information or redirect users to deceptive websites. This modus operandi is particularly effective in acquiring login data, which is then utilized to drain funds from compromised accounts. Notably, IcedID doesn't limit its impact to financial theft; it also serves as a gateway for the installation of additional malware on the victim's device.

Common symptoms of an IcedID infection include unusual financial transactions, unexpected redirection to fake banking websites, abnormal system behavior leading to increased network traffic, and the presence of unfamiliar processes or services in the task manager.

The trojan spreads through various vectors, including malicious email attachments and links delivered through phishing campaigns, compromised or malicious websites hosting exploit kits, drive-by downloads triggered by visiting compromised web pages, exploitation of software vulnerabilities (especially in outdated or unpatched software), and infiltration through other malware or botnets already present on the system.

Preventing IcedID infections involves regular updates of the Windows operating system and third-party applications, the use of a Gridinsoft Anti-Malware with real-time protection, exercising caution when interacting with links or downloading attachments (especially from unknown sources), implementing a robust email filtering system to block phishing attempts, and educating users about the risks of social engineering attacks.

If you suspect an infection with IcedID, immediate disconnection of the infected device from the network is crucial to prevent further data exfiltration or malicious activities. Conducting a thorough scan using a Gridinsoft Anti-Malware is recommended for the detection and removal of the trojan. After removal, it is advisable to change all passwords associated with sensitive accounts and monitor financial transactions for any unauthorized activities.

🤔 What to do?

If you suspect an infection with IcedID, immediately disconnect the infected device from the network to prevent further data exfiltration or malicious activities. Conduct a thorough scan using a Gridinsoft Anti-Malware to detect and remove the trojan.

After removing the malware, change all passwords associated with sensitive accounts and monitor your financial transactions for any unauthorized activities.

🛡️ Prevention

To prevent IcedID infections, regularly update your Windows operating system and third-party applications. Utilize a Gridinsoft Anti-Malware with real-time protection. Exercise caution when clicking on links or downloading attachments, especially from unknown sources. Implement a robust email filtering system to block phishing attempts, and educate users about the risks of social engineering attacks.

References

  1. Gozi and IcedID Trojans Spread via Malvertising
  2. PindOS JavaScript Dropper Distributes Bumblebee and IcedID Malware

Gridinsoft Anti-Malware

Cure your PC from any kind of malware

GridinSoft Anti-Malware will help you to protect your computer from spyware, trojans, backdoors, rootkits. It cleans your system from annoying advertisement modules and other malicious stuff developed by hackers.

Gridinsoft Anti-Malware