Also known as: IceID, BokBot
Platforms affected: Windows
Variants: IcedID lite, Forked IcedID
IcedID is a banking trojan that preys on Windows devices to steal financial credentials. Once deployed, IcedID executes “man-in-the-browser” web injection attacks to capture information directly or redirect the victim to fake websites. IcedID then uses the stolen login details to automatically siphon off funds from the compromised account. IcedID can also be used to drop other malware onto the victim’s device.
Like all trojans, IcedID relies on stealth to carry out its instructions. To trick malware detection tools, IcedID uses process hollowing to inject itself into critical processes (including operating system files) and only launches the main malware component after the compromised system has been rebooted.
Possible indicators of an IcedID infection include:
- Your device frequently freezes or stutters.
- You realize you’ve been redirected to a fake website after clicking a legitimate link.
- Other malware appears on your device without a known cause.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Your device periodically sends data to unknown remote servers (IcedID is uploading device information to its handlers).
- You notice that money has been sent to strangers from your bank account.
Sources of the infection
IcedID is typically installed by first-stage malware (most commonly Emotet) that enters the victim’s system through infected email attachments, such as macro-laden Microsoft Office documents, fake iso files, or compromised zip archives. These attachments are distributed using phishing emails to trick users into opening them. Less commonly, IcedID may be spread directly to the victims of the Cutwail malspam botnet.
Your device may also get infected with IcedID from:
Infected files shared through messaging platforms.
Infected files downloaded from cloud storage or online repositories.
Other viruses that drop IcedID as part of their operations.
Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
Peer-to-peer (P2P) sharing of infected files.
Infected external devices, such as hard drives or USB sticks.
Since IcedID is most commonly spread through infected attachments in phishing emails, developing good email habits goes a long way to keeping you safe. Learn to recognize social engineering attempts and avoid opening suspicious attachments.
Other protective measures include:
Use email scanning tools to identify and automatically block messages with suspicious attachments.
Use reliable antivirus software to detect, quarantine, and eliminate an IcedID infection.
Use multi-factor authentication to protect your accounts in the event that someone steals your password using IcedID.
Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including IcedID) to your device by exploiting vulnerabilities.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.
To remove an IcedID infection, use a reputable antivirus solution. Do not try to remove it manually — IcedID uses multiple persistence mechanisms to reinstall itself after you reboot the system.