Skip to main content
Published Jan 07, 2020 | Updated Apr 29, 2021

Trojan:Win32/IcedId

Summary

Microsoft Defender Antivirus detects and removes this threat.

This threat is a modular banking trojan first observed in 2017. Since 2017, IcedID evolved from its origins as a regular banking trojan to become an entry point for more sophisticated attacks, including human-operated ransomware.  

Guidance for end users 

To know more about malware prevention, refer to the link below:  


Guidance for enterprise administrators   

Take the following steps:

  1. Immediately isolate the affected device. If IcedID has already been launched, it is likely that the device is under complete attacker control.
  2. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
  3. Review emails delivered to the affected user(s) to determine the source. Identify the malicious email associated with this .ZIP and check if other accounts received the email. Block additional emails from the sending address or with the same attachments or links. Remove delivered emails from the mailboxes of other recipients before they are opened.
  4. Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools, such as Cobalt Strike or Mimikatz that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
  5. Contact your incident response team. If you don’t have an incident response team, contact Microsoft Support for architectural remediation and forensic investigation. A forensic investigation is important to assess the damage that might have been done.

 

Apply these mitigations to reduce the impact of this threat. 

Follow us