IcedID Malware

IcedID is a banking trojan that was first discovered in the wild in September 2017. In October 2022, it was the fourth most common malware variant, partially driven by the return of Emotet, which often delivers the malware. As a banking trojan, IcedID specializes in collecting login credentials for user accounts with financial institutions. IcedID is also capable of dropping malware.

While IcedID is commonly distributed by Emotet, a botnet malware, it is not the only delivery vector for IcedID. The banking trojan also distributes itself via malspam campaigns and can move through a network to infect other hosts after gaining a foothold on an infected system. The IcedID malware is also known for using various techniques to conceal its presence on a system. For example, the malware uses process injection to hide itself on the system and steganography to conceal sensitive data.

Request a Demo Get the Security Report

The Threat

As the IcedID malware is a banking trojan, its primary purpose is to steal login credentials for users’ accounts at financial institutions. Once it has access to these credentials, the malware can use them to log into user accounts and steal money from the user. Recently, IcedID is also used to drop additional malware.

IcedID uses web injection to trick users into handing over their credentials:

  • Web injection is the method that IcedID uses to collect login information for online banking portals. Using this method the attackers injects HTML or JavaScript code into website’s content before it’s rendered on the browser. It allows the malware to collect and exfiltrate user credentials for later use.

How to Protect Against IcedID Malware

IcedID is a sophisticated banking trojan, and its use of evasion techniques makes it difficult to identify and remediate on infected systems. However, organizations and individuals can take a variety of actions to protect themselves against IcedID infections.

Some best practices for dealing with malware and banking trojans in general and IcedID in particular include the following:

  • Employee Training: IcedID uses social engineering techniques to spread itself and trick users into handing over sensitive information, such as their login credentials. Training employees to identify and properly respond to social engineering is essential to minimizing the threat of IcedID.
  • Deploy Endpoint Security: Endpoint security solutions have the ability to identify and block attempted infections by IcedID and other malware. Endpoint security solutions should be deployed on all devices, be kept up-to-date, and have access to high-quality cyber threat intelligence.
  • Use Strong MFA: As a banking trojan, IcedID’s primary goal is to collect login credentials for user accounts. Enforcing the use of strong multi-factor authentication (MFA) can reduce the risk of a successful account takeover attack.
  • Implement Email Security: IcedID is commonly spread via malicious email. Email security solutions that inspect email contents and attachments for malicious content can help to detect IcedID malware infections.
  • Monitor the Network: IcedID operates a proxy on port 49157 on infected computers and attempts to spread itself through the network from a compromised host. Monitoring network traffic for anomalous open ports and network traffic can help to identify IcedID infections.
  • Implement Least Privilege: IcedID steals login credentials and uses them to spread through the network. Enforcing the principle of least privilege, which restricts users and devices to the minimum permissions necessary for their role, limits the damage that can be done by a compromised device or user account.

IcedID Protection with Check Point

While the IcedID poses a significant threat to corporate and personal cybersecurity, it is far from the only cyber threat that companies face and was only the fourth most common malware variant in October 2022. Learn more about the current state of the cyber threat landscape in Check Point’s 2022 Cyber Security Report.

Check Point Harmony Endpoint provides comprehensive protection against IcedID and other banking trojans and malware. With access to threat intelligence from Check Point ThreatCloud, Harmony Endpoint has visibility into the latest attack campaigns and the ability to prevent attacks by emerging malware variants.

Harmony Endpoint enables organizations to deploy scalable, centrally-managed endpoint security to protect their systems and users. Learn more about how Harmony Endpoint can improve your organization’s endpoint security posture by signing up for a free demo today.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.