We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/IcedId
Aliases: Bokbot (other)
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a modular banking trojan first observed in 2017. Since 2017, IcedID evolved from its origins as a regular banking trojan to become an entry point for more sophisticated attacks, including human-operated ransomware.
Guidance for end users
To know more about malware prevention, refer to the link below:
Guidance for enterprise administrators
Take the following steps:
- Immediately isolate the affected device. If IcedID has already been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Review emails delivered to the affected user(s) to determine the source. Identify the malicious email associated with this .ZIP and check if other accounts received the email. Block additional emails from the sending address or with the same attachments or links. Remove delivered emails from the mailboxes of other recipients before they are opened.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools, such as Cobalt Strike or Mimikatz that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
- Contact your incident response team. If you don’t have an incident response team, contact Microsoft Support for architectural remediation and forensic investigation. A forensic investigation is important to assess the damage that might have been done.
Apply these mitigations to reduce the impact of this threat.
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
- Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
- Use the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
- Enforce strong, randomized local administrator passwords. Use tools like LAPS.
- Check your Microsoft Defender for Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
- Check your Microsoft Defender for Office 365 antispam policy and your mail flow rules for allowed senders, domains and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations— Microsoft Defender for Office 365 will honor these settings and can let potentially harmful messages pass through.
- Review system overrides in threat explorer to determine why attack messages have reached recipient mailboxes.
- Turn on the following attack surface reduction rules to block or audit activities associated with this threat:
