Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This threat is a modular banking trojan first observed in 2017. Since 2017, IcedID evolved from its origins as a regular banking trojan to become an entry point for more sophisticated attacks, including human-operated ransomware.
Guidance for end users
To know more about malware prevention, refer to the link below:
Immediately isolate the affected device. If IcedID has already been launched, it is likely that the device is under complete attacker control.
Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
Review emails delivered to the affected user(s) to determine the source. Identify the malicious email associated with this .ZIP and check if other accounts received the email. Block additional emails from the sending address or with the same attachments or links. Remove delivered emails from the mailboxes of other recipients before they are opened.
Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools, such as Cobalt Strike or Mimikatz that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
Contact your incident response team. If you don’t have an incident response team, contact Microsoft Support for architectural remediation and forensic investigation. A forensic investigation is important to assess the damage that might have been done.
Apply these mitigations to reduce the impact of this threat.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
Use the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Enforce strong, randomized local administrator passwords. Use tools like LAPS.
Check your Microsoft Defender for Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
Check your Microsoft Defender for Office 365 antispam policy and your mail flow rules for allowed senders, domains and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations— Microsoft Defender for Office 365 will honor these settings and can let potentially harmful messages pass through.
IcedID is most frequently delivered by malicious emails that contain password protected .ZIP attachments. These archive files contain Word documents with malicious macros that, when enabled, kick off a chain of processes to install the malware. These emails often use a Fake Reply technique, where the attacker crafts the email to look like a reply to an email that originated from the intended victim. The lures themselves use benign greetings such as “See Attached” or “Good Morning” to entice users into accessing the email. When these emails use password-protected attachments, the password is included in the body of the email as well.
IcedID has been used to target organizations across the globe. Once a user at a targeted organization has downloaded the malware, it can be used to collect credentials via a man-in-the-middle technique or browser injects. Furthermore, it can be used as a first stage for additional malware payloads. In an extreme example, IcedID has been observed leading to human-operated ransomware attacks.
Prevention
Guidance for end users
To know more about malware prevention, refer to the link below:
Apply these mitigations to reduce the impact of this threat.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
Use the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Enforce strong, randomized local administrator passwords. Use tools like LAPS.
Check your Microsoft Defender for Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
Check your Microsoft Defender for Office 365 antispam policy and your mail flow rules for allowed senders, domains and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations— Microsoft Defender for Office 365 will honor these settings and can let potentially harmful messages pass through.
Microsoft Defender Antivirus raises alerts if it detects this threat on your device. Microsoft Defender Antivirus automatically removes threats as they are detected. It will quarantine the malware even if the process is running. If this threat is detected on your environment, we recommend that you immediately investigate it.