Indicators of Compromise Associated with IcedID

Fortify Security Team
Sep 28, 2021

FBI reporting has indicated a recent increase in IcedID malware acting as a “dropper,” infecting victims with additional malware. Examples of ransomware variants dropped by IcedID include Defray777, GlobeImposter, Cuba, Conti, and REvil (aka Sodinokibi). First reported in late 2017, IcedID (also known as BokBot) has been known as a banking trojan that targets victims with a redirect attack. When a victim uses an infected computer to access an online banking platform, IcedID redirects victims to a visually identical fake banking website. The fake website solicits login credentials from the victim and then shows an error message, leading the victim to believe the website is malfunctioning. Meanwhile, the actor(s) behind the fake website obtain and use the user’s credentials to access the victim’s bank account.

Initial IcedID infections often result from emails containing a zipped Microsoft Excel or Word document with a generic name and possibly a date. The password for the zipped file is in the content of the email. The Excel or Word document has a graphic stating it was created in an older version of Excel or Word and requests the user click “Enable Content” in order to display the document. Cyber actors also target organizations by embedding malicious “Contact Us” links into emails through public domains. Cyber actors deliver IcedID using Emotet, Trickbot, and TA551 (also known as Shathak and GoldCabin). TA551 is an email-based malware distribution campaign that has exclusively pushed IcedID since mid-July 2020.

Through industry partners and open source information, the tier one C2 domains are easily identifiable and fall into two to three different categories. While naming conventions differ by researcher, the first set of tier one C2 domains stage the initial component of the IcedID malware, which is pulled down to a victim by the malicious Microsoft Word or Excel attachments. These C2s are typically valid for approximately 24 hours. The second set of tier one C2 domains stage the GZIP loader that is pulled down to a victim by the initial IcedID component. These C2s are also valid for approximately 24 hours. The final set of tier one C2 domains are the core or victim (bot) control C2s. These C2s change less often and can be valid for two or more weeks.

For the second tier of infrastructure, there are two different components: inject panel domains and tier 2 servers or proxies. Inject panel domains control which web injects, or fake websites, the victim will be targeted with. These domains are likely proxies to higher tiered infrastructure. Tier 2 servers are proxies between the tier one C2 domains of all types and the backend infrastructure at higher tiers. As of the date of this FLASH, the use of web injects by IcedID has significantly dropped, and these domains are less likely to be seen by victims. Instead, the FBI has identified an increased use of tier 2 servers or proxies to target victims.

Indicators of Compromise
Victims of IcedID may see C2 domains in their network traffic. IcedID C2 domains change frequently, and are only active for short periods. Network defenders should visit trusted security vendor websites or blogs for current or breaking information.

The following are characteristics of an IcedID compromise:

C2 Domains Distributing IcedID Payload on or after August 1, 2021


Hash Values of IcedID BInaries as of August 1, 2021


Recommended Mitigations

  • Be wary of thread hijacking, where actors reply to legitimate previous conversations within a victim’s email in order to send additional phishing emails within a network from the victim’s account. If receiving a zipped document from an email previously communicated with, verify the document originated from the sender via another form of communication.
  • Be wary of the “Enable Content” feature in Microsoft attachments. Clicking this button enables the IcedID payload to download to a victim machine.
  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Use two-factor authentication with strong passwords, including for remote access services.
  • Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.
  • Keep computers, devices, and applications patched and up-to-date.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Review the following additional resources.
    • The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
    • The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center Joint Ransomware Guide covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.
    • gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.


If your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.

  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
  • Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

Recent Posts

Maui Ransomware – Technical Details

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare and Public Health (HPH) Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for...

MedusaLocker Ransomware Technical Details

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

Karakurt Data Extortion Group

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide...

CVE-2022-30190 aka Follina

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

Ragnarlocker Ransomware IOCs

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data....