The many faces of the IcedID attack kill chain

illustration of hacker holding many masks

Executive Summary

The Menlo Labs Team noticed some very interesting and seemingly overlapping IcedID campaigns over the past couple of months. IcedID is a modular trojan that made its appearance in 2017, and since then it’s proven itself to be one the most notorious pieces of malware. In this blog we will briefly touch on the different IcedID campaigns we have been tracking including:

  • Malicious OneNote campaign
  • .url files using webdav protocol campaign
  • Thumbcache viewer campaign
  • HTML smuggling campaigns

Threat intelligence

The attack chain of the IcedID malware is a multi-stage process that begins with malicious actors sending out phishing emails, fake Zoom installers, malicious .one files, or malvertising campaigns. The emails often contain links or attachments that lead to websites hosting malicious payloads, such as OneNote files, JavaScript files, Visual Basic Script (VBS) files, and executables (EXEs). Once opened by the victim, they download additional components from command-and-control (C2) servers controlled by attackers.

OneNote Threat Campaign

In addition, at the end of December 2022, this malware was found leveraging Google pay-per-click ads in malvertising attacks – an online advertising practice wherein bad actors use deceptive or malicious advertisements to spread malware. Threat actors use these ads to lead victims to domains containing scripts used for infection purposes, leveraging compromised WordPress sites as a part of a redirector chain technique. The technique leads users back towards attackers’ intended destination while avoiding detection along the way.

comparison screenshots of real and malicious microsoft teams sites
Which Microsoft Teams page is real?
screenshot of malicious microsoft teams download site
A malicious Microsoft Teams download site.

We observed the attackers leveraging Search Engine Optimization (SEO) poisoning – a type of cyberattack that attempts to exploit SEO algorithms for malicious purposes – to promote compromised sites. It involves the manipulation of website content and code in order to raise its ranking on search engine results pages (SERPs). By leveraging SEO techniques, attackers can make their malicious sites appear more legitimate and desirable than they actually are, thereby steering unsuspecting users towards them – a technique we’ve termed Legacy URL Reputation Evasive (LURE). This technique can evade detection through a combination of technical and social engineering tactics, making it a challenging threat to identify and mitigate – which is why we categorize it as a Highly Evasive Adaptive Threat (HEAT). Menlo Labs has previously detailed an attack using SEO poisoning.

Malvertising is an online advertising practice wherein bad actors use deceptive or malicious advertisements to spread malware. This can happen through display ads, pop-ups, banners, links embedded within websites or emails, etc. Each will lead the user to download a malicious payload such as ransomware or spyware. Malvertising campaigns typically target the corporate populations. However, anyone who visits an infected site can be at risk, regardless of age or experience level.

Webdav protocol campaign

Also seen in December 2022, IcedID used OneNote as an attack vector by exploiting its file-sharing capabilities. The threat actors were able to upload malicious files such as scripts, EXEs and documents into OneNote pages, which then can be shared with potential victims. If the victims open the file and select the clickable icon, they will unknowingly trigger the download of these malicious files and unwittingly install IcedID onto their system. This kind of attack allows hackers to bypass traditional security measures since OneNote is generally deemed safe by antivirus software vendors.

The OneNote campaign went into February 2023 where we saw another IcedID campaign start. This one used .url files that retrieved a .bat file from an open directory WebDav file server. Both the .url and .bat files leverage Web Distributed Authoring and Versioning (WebDAV) to fetch and execute the malware. WebDAV comprises a series of HTTP protocol extensions that enable users to access and modify files stored on a remote web server.

Thumbcache viewer campaign

In March 2023, we saw some samples disguised as “Thumbcache Viewer”. Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_.db and iconcache_.db database files found on Windows.

screenshot showing user account control dialog box for Thumbcache Viewer

HTML smuggling campaigns

Prior to this, IcedID had been seen using HTML smuggling. In Oct 2022, IcedID was being delivered via phishing email with a HTML attachment. When users open and click on the decoy, they will download a password-protected zip file that contains a malicious ISO file.

Some unconfirmed reports stated IcedID is being used exclusively by Quantum Ransomware gang, however these recent infection chains have yet to reveal the end goal. Quantum Ransomware (which is made up of ex-Conti members) has been rebranded over the years. Starting out as MountLocker in June 2020, then renamed to AstroLocker and XingLocker before finally becoming Quantum. Knowing this, we can look at some past campaigns that involved IcedID, such as:

  • Quantum Ransomware – April 25, 2022 ISO/LNK campaign
  • Conti Ransomware – December 2021 Stolen Images Campaign Ends in Conti Ransomware
  • XingLocker Ransomware – October 18, 2021 IcedID to XingLocker Ransomware in 24 hours

Infection Vector/Technical Details

Once IcedID is loaded onto the victim’s system, it establishes persistence through registry manipulation techniques. It modifies browser settings to inject malicious content into legitimate web pages that were viewed by victims, which leads to further infection. It also injects scripts into existing processes for it to communicate with its C2 server without being detected. Finally, it can download other payloads such as ransomware or steal sensitive information like passwords from infected machines.

IcedID also has the ability to harvest stored credentials from web browsers, such as Chrome or Firefox, and use them for further attacks against other systems on the same network. It can also take screenshots of user activity and record keystrokes for potential password theft. The malware also attempts to disable security products, like anti-virus software or firewalls, so that it can remain undetected by IT teams who are attempting to combat its infections.

In a recent incident, an IcedID (that was mentioned above) WebDav file server was left open and you could see and grab the malicious files that were to be used in the attack. The threat actors use malicious Office documents containing links to URLs hosted in their own infrastructure, which then download secondary malware on the victim’s machine.

screenshot of /webdav index

Also interesting in the Onenote IcedID campaign mentioned above is that malicious code is hidden in the Onenote file. That code is attempting to download an executable file (putty.exe) from an external source and execute it on the victims’ computer (analyst comment: the sample reviewed errored out because the location it is saved to is over written later on in the code). It also attempts to hide its activity by resizing the window, moving it out of view, and closing it after 15 seconds.

Further down in the Onenote file is more code that attempts to download two files (classic.jpg and invoice.pdf) from a remote location and then execute them using PowerShell by bypassing certain security protocols on the user’s computer. The createExecution function executes “rundll32” with “C:\Users\Public\classic.jpg,PluginInit” as an argument. It also sets up an alert() function that would be triggered when clicking on the “t” link, as well as resizes and moves the window it has been loaded in after loading the image with its alt tag containing a Powershell command. Finally, it automatically clicks on the “K” link 45 seconds after loading, likely to try and close itself afterwards so as not to leave any trace of being executed.

classic.jpg is a malicious executable and invoice.pdf is a decoy file to trick the user into thinking they downloaded a normal file.

onenote metadata showing malicious code

Also interesting is some meta data left in the malicious files, such as:

  • Some distinct markers for its campaigns:
    • unpaid_(numbers)-(Month)
  • File paths:
    • C:\Users\Admin\Desktop\htaLdr\cloudDocument.hta
    • C:\Users\Admin\Desktop\htaRevenge\lookAtThat.hta


Overall, IcedID uses various techniques ranging from targeting specific organizations to using advanced evasion techniques in order to gain access to systems undetected. This allows it to carry out nefarious activities before any security measures can intervene, making it one of most dangerous threats currently active today!

Download eBook: How cybercriminals use browser features to evade detection


Icedid dll


Icedid exe



The post The many faces of the IcedID attack kill chain appeared first on Menlo Security.

*** This is a Security Bloggers Network syndicated blog from Menlo Security authored by Menlo Labs. Read the original post at: