The Trojan is actively monitored by the cybersecurity community around the world. If you search Twitter for the #IcedID
tags, you will find a considerable number of tweets about how and when the Trojan's last campaign was carried out. Probably the most interesting recent news about the Trojan was the appearance of a new stage-downloader Like its previous version, it downloads an image in which the old version, the second-stage downloader, is hidden. A description of the new downloader by researchers can be found at https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
We therefore will not get into the details of how the downloader works, but will focus on the whole infection pattern instead:
- A malicious document is delivered to the victim's device.
- The document is downloaded and launches the first stage: the downloader from the article mentioned above
- The first-stage downloader gets an image from the C&C server and extracts the second stage downloader from the image. It then saves and launches the second-stage downloader.
- The second-stage downloader also downloads an image from the C&C server (although the address may be different), extracts IcedID's main module, and launches it. This last part is described in detail below.
An example can be found at: https://www.malware-traffic-analysis.net/2020/05/01/index.html
. With all questions hopefully answered, let's move on to the second stage.