IcedID is a new modular malware that is delivered by the Emotet trojan to target financial and telecommunications organisations. It can also propagate over networks and infect terminal servers. First appearing in September 2017, IcedID does not recycle code from other malware but already has comparable features to more prominent trojans. This indicates its creators are highly experienced and are likely to add new features to the malware in the future.
It is deployed using the Emotet trojan as a dropper and requires a reboot to initiate installation. Once installed it sets up a local proxy to collect information before sending to four command and control (C2) servers using secure sockets layer (SSL). IcedID can also launch redirection attacks using a sophisticated scheme, including using the bank’s correct URL and SSL certificate, to collect user’s banking details.
A schematic view of IcedID’s infection and communication infrastructure is shown below –
Image via https://securityintelligence.com