IcedID is a banking trojan first spotted in November 2017 by IBM's X-Force. The trojan conducts redirection attacks by installing a local proxy to redirect users to clone sites. It also conducts web injection attacks by injecting browser processes to show fake content over top of the legitimate page, to steal users' financial data. The group behind IcedID is using the Emotet trojan's botnet infrastructure and geotargeting capabilities to deliver the trojan to users in specific countries, including the US, Canada, and the United Kingdom. The trojan targets payment card providers and webmail sites using redirection attacks and online banking portals using web injection attacks. Additionally, IcedID encrypts communication to its C2 server and uses a registry key-based boot persistence system.
- IBM X-Force provides technical analysis of the IcedID trojan here.