BIPI
BIPI

IcedID Evolved: From Banking Trojan to Initial Access Broker

Threat Intelligence

IcedID started as a banking trojan in 2017 and spent six years quietly becoming one of ransomware's most reliable front doors. The Forked and Lite variants reveal a deliberate architectural pivot.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 5, 2024 · 9 min read

#icedid#bokbot#malware#initial-access#ransomware

IcedID, also known as Bokbot, was first documented in 2017 by IBM X-Force. Its original purpose was financial fraud: it performed browser injection attacks to intercept banking sessions and steal credentials in real time. By 2020, that banking fraud model had largely given way to a more lucrative business: selling persistent access inside corporate networks to ransomware operators. The malware did not change dramatically. The operators' commercial model did.

Architecture of the Standard Variant

The classic IcedID loader arrives as a DLL, typically loaded via regsvr32.exe or rundll32.exe. It decrypts a second-stage payload from an encrypted resource section, injects it into a legitimate process (commonly msiexec.exe), and then makes an initial check-in to its C2 using HTTPS with a distinctive User-Agent string and a hardcoded cookie that encodes a victim system fingerprint. C2 responds with a configuration file specifying webinject targets, socks proxy parameters, and a backconnect address for operator tunneling.

  • Initial loader: DLL, often delivered via ISO or malicious Office document
  • Injection target: msiexec.exe (avoids AV hooks in more scrutinized processes)
  • C2 protocol: HTTPS, cookie-based victim fingerprinting, JA3 fingerprint is distinctive
  • Persistence: scheduled task or HKCU Run key pointing to the second-stage DLL copy in %APPDATA%
  • Capabilities: browser injection, credential theft, socks5 proxy for operator tunneling, VNC module

The Forked Variant

In early 2023, researchers at Sekoia and Team Cymru documented a new IcedID variant they called 'Forked.' The Forked variant stripped out the banking fraud modules entirely: no browser injection, no webinject configuration, no financial targeting. What remained was a lean initial access tool optimized for delivering a follow-on payload. The C2 communication was retooled using a different URI pattern, and the victim fingerprint encoding changed, breaking existing network signatures.

Removing the banking fraud engine made Forked IcedID smaller, faster, and better at evading sandboxes that flag banking trojan behaviors. The pivot was strategic, not accidental.

The Lite Variant

The Lite variant appeared around the same time as Forked and goes even further in stripping functionality. It is essentially a single-purpose downloader: check in to C2, receive a payload URL, download and execute. Researchers believe Lite is used for specific targeted operations where a small footprint is more important than post-infection capability. Some samples have been linked to Gozi (ISFB) operator infrastructure, suggesting shared or leased delivery services.

2017
First IcedID documentation by IBM X-Force
3
Distinct variants: Standard, Forked, Lite
>60%
IcedID infections leading to ransomware within 5 days (Group-IB data)
~$40M
Estimated affiliate revenue attributed to IcedID access sales (2022)

Delivery Methods Over Time

  1. 2017-2019: Malicious Word/Excel macros, direct attachment phishing
  2. 2020-2021: Emotet as a delivery vehicle (IcedID was a common Emotet secondary payload)
  3. 2022: ISO and IMG file containers to bypass MOTW, LNK-based execution
  4. 2023: OneNote attachments, Google Ads abuse for drive-by downloads, SEO poisoning

Detection and Hunting

  • Network: IcedID C2 requests have a consistent cookie format encoding system GUID, Windows version, and username in base64
  • Process: msiexec.exe making outbound HTTPS connections without an installer context is highly anomalous
  • File: second-stage DLL in %APPDATA%\[random-folder]\ with a creation timestamp within seconds of scheduled task creation
  • Scheduled task name is typically a GUID or a common Windows service name misspelling
  • YARA: Standard variant has a distinctive string decryption loop using a rolling XOR with a 40-byte key; community rules are maintained by proofpoint and elastic
  • JA3 fingerprint 51c64c77e60f3980eea90869b68c58a8 has been historically associated with IcedID C2 check-ins

Remediation

  1. Isolate any host where msiexec.exe has generated outbound HTTPS traffic without a software installation event
  2. Delete scheduled tasks created in the same minute as DLL drops in user-writable directories
  3. Rotate credentials for the affected user account and any accounts with cached credentials on the host
  4. Scan for lateral movement artifacts: IcedID operators typically deploy Cobalt Strike within 2-4 hours of access
  5. Engage threat intelligence: query your TI provider for the specific C2 IPs and assess blast radius across your network

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.