IcedID has been being seen quite a bit in the wild recently. Brad Duncan, Threat Intelligence Analyst at Palo Alto Networks, has shared a blog on SANS reviewing the a recent IcedID infection which lead to Dark VPN activity and Cobalt Strike.
IcedID had it’s start as a modular banking trojan aimed at stealing user financial information, but is also capable and has been being used as a dropper for other malware. IcedID has been recently seen coming within a password protected ZIP attachment, which contains an ISO image containing the hidden malware, but previously has also been seen as a secondary payload to other droppers, such as Emotet.
With it’s popularity recently, IcedID is definitely a piece of malware defenders need to be aware of, and sharpen up on ways to detect it in their environments.
Brad Duncan’s post and included IoCs can be found here: https://isc.sans.edu/diary/rss/28884
