Threat Insight: IcedID Changes Tactics

IcedID (a.k.a. BokBot) is a malware dropper that relies heavily on email-based distribution tradecraft. Since Microsoft blocked macros in office documents from the internet, the group has adapted their methods. In research published by Cybereason, the group has been observed sending emails with a password protected zip archive that contains an ISO file as an attachment. The ISO image contains a LNK file to a DLL. That DLL, when executed, connects to pre-staged domains and downloads IcedID dropper. The malware has been observed dropping Atera agents for persistence. We recommend that MSPs block or quarantine password-protected zip files in email platforms.

Read more here:

-Kaseya Threat Management Team

Security Advisories Archives
RSS Feed

To View the RSS Feed of our advisory postings, please input this link into your feed reader.