Indicators of Compromise Associated with IcedID

Fortify Security Team
Sep 28, 2021

FBI reporting has indicated a recent increase in IcedID malware acting as a “dropper,” infecting victims with additional malware. Examples of ransomware variants dropped by IcedID include Defray777, GlobeImposter, Cuba, Conti, and REvil (aka Sodinokibi). First reported in late 2017, IcedID (also known as BokBot) has been known as a banking trojan that targets victims with a redirect attack. When a victim uses an infected computer to access an online banking platform, IcedID redirects victims to a visually identical fake banking website. The fake website solicits login credentials from the victim and then shows an error message, leading the victim to believe the website is malfunctioning. Meanwhile, the actor(s) behind the fake website obtain and use the user’s credentials to access the victim’s bank account.

Initial IcedID infections often result from emails containing a zipped Microsoft Excel or Word document with a generic name and possibly a date. The password for the zipped file is in the content of the email. The Excel or Word document has a graphic stating it was created in an older version of Excel or Word and requests the user click “Enable Content” in order to display the document. Cyber actors also target organizations by embedding malicious “Contact Us” links into emails through public domains. Cyber actors deliver IcedID using Emotet, Trickbot, and TA551 (also known as Shathak and GoldCabin). TA551 is an email-based malware distribution campaign that has exclusively pushed IcedID since mid-July 2020.

Through industry partners and open source information, the tier one C2 domains are easily identifiable and fall into two to three different categories. While naming conventions differ by researcher, the first set of tier one C2 domains stage the initial component of the IcedID malware, which is pulled down to a victim by the malicious Microsoft Word or Excel attachments. These C2s are typically valid for approximately 24 hours. The second set of tier one C2 domains stage the GZIP loader that is pulled down to a victim by the initial IcedID component. These C2s are also valid for approximately 24 hours. The final set of tier one C2 domains are the core or victim (bot) control C2s. These C2s change less often and can be valid for two or more weeks.

For the second tier of infrastructure, there are two different components: inject panel domains and tier 2 servers or proxies. Inject panel domains control which web injects, or fake websites, the victim will be targeted with. These domains are likely proxies to higher tiered infrastructure. Tier 2 servers are proxies between the tier one C2 domains of all types and the backend infrastructure at higher tiers. As of the date of this FLASH, the use of web injects by IcedID has significantly dropped, and these domains are less likely to be seen by victims. Instead, the FBI has identified an increased use of tier 2 servers or proxies to target victims.

Indicators of Compromise
Victims of IcedID may see C2 domains in their network traffic. IcedID C2 domains change frequently, and are only active for short periods. Network defenders should visit trusted security vendor websites or blogs for current or breaking information.

The following are characteristics of an IcedID compromise:

C2 Domains Distributing IcedID Payload on or after August 1, 2021


Hash Values of IcedID BInaries as of August 1, 2021


Recommended Mitigations

  • Be wary of thread hijacking, where actors reply to legitimate previous conversations within a victim’s email in order to send additional phishing emails within a network from the victim’s account. If receiving a zipped document from an email previously communicated with, verify the document originated from the sender via another form of communication.
  • Be wary of the “Enable Content” feature in Microsoft attachments. Clicking this button enables the IcedID payload to download to a victim machine.
  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Use two-factor authentication with strong passwords, including for remote access services.
  • Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.
  • Keep computers, devices, and applications patched and up-to-date.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Review the following additional resources.
    • The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
    • The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center Joint Ransomware Guide covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.
    • gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.


If your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.

  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
  • Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

Recent Posts

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

Ragnarlocker Ransomware IOCs

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data....

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

BlackMatter Ransomware

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised...

CVE-2021-1675 and CVE-2021-34527 – PrintNightmare

Fortify 24x7 is tracking various public weaponized exploits for a remote code execution vulnerability affecting the Windows Print Spooler service (spoolsv.exe): CVE-2021-1675 and an out of band patch for CVE-2021-34527, also known as PrintNightmare. The vulnerability...