IcedID (BokBot) Threat Description | Gridinsoft 2025
Gridinsoft Logo

IcedID (BokBot)

Posted: December 24, 2023
from Cybersecurity Glossary
Aliases:
IceID, BokBot
Aliases:
Remote Access Trojan (RAT)
Platform:
Windows
Variants:
IcedID lite, Forked IcedID
Damage:
Stolen Financial Information, Redirection To Malicious Web Pages, Keylogging, Opening Backdoors For Other Malware (Like Ransomware)
Risk Level:
High

IcedID, a banking trojan, specializes in infiltrating Windows systems to harvest financial credentials. Upon deployment, it employs 'man-in-the-browser' tactics, injecting web content to acquire information directly or redirect victims to deceptive sites. Subsequently, it utilizes stolen login data to automatically drain funds from compromised accounts. Additionally, IcedID can facilitate the installation of other malware on the victim's device.

Possible symptoms

  • Unusual or unauthorized financial transactions
  • Unexpected redirection to fake banking websites
  • Abnormal system behavior, such as increased network traffic
  • Presence of unfamiliar processes or services in the task manager

Sources of the infection

  • Malicious email attachments and links, often delivered through phishing campaigns
  • Compromised or malicious websites hosting exploit kits
  • Drive-by downloads triggered by visiting compromised web pages
  • Exploitation of software vulnerabilities, especially in outdated or unpatched software
  • Infiltration through other malware or botnets already present on the system

Overview

IcedID, also known as BokBot, is a banking trojan with a primary focus on Windows PC. This malware is crafted to stealthily extract financial credentials, subsequently enabling unauthorized access to victim accounts for fund extraction.

The IcedID employs sophisticated 'man-in-the-browser' tactics upon deployment, injecting malicious content into web pages to directly capture sensitive information or redirect users to deceptive websites. This modus operandi is particularly effective in acquiring login data, which is then utilized to drain funds from compromised accounts. Notably, IcedID doesn't limit its impact to financial theft; it also serves as a gateway for the installation of additional malware on the victim's device.

Common symptoms of an IcedID infection include unusual financial transactions, unexpected redirection to fake banking websites, abnormal system behavior leading to increased network traffic, and the presence of unfamiliar processes or services in the task manager.

The trojan spreads through various vectors, including malicious email attachments and links delivered through phishing campaigns, compromised or malicious websites hosting exploit kits, drive-by downloads triggered by visiting compromised web pages, exploitation of software vulnerabilities (especially in outdated or unpatched software), and infiltration through other malware or botnets already present on the system.

Preventing IcedID infections involves regular updates of the Windows operating system and third-party applications, the use of a Gridinsoft Anti-Malware with real-time protection, exercising caution when interacting with links or downloading attachments (especially from unknown sources), implementing a robust email filtering system to block phishing attempts, and educating users about the risks of social engineering attacks.

If you suspect an infection with IcedID, immediate disconnection of the infected device from the network is crucial to prevent further data exfiltration or malicious activities. Conducting a thorough scan using a Gridinsoft Anti-Malware is recommended for the detection and removal of the trojan. After removal, it is advisable to change all passwords associated with sensitive accounts and monitor financial transactions for any unauthorized activities.

🤔 What to do?

If you suspect an infection with IcedID, immediately disconnect the infected device from the network to prevent further data exfiltration or malicious activities. Conduct a thorough scan using a Gridinsoft Anti-Malware to detect and remove the trojan.

After removing the malware, change all passwords associated with sensitive accounts and monitor your financial transactions for any unauthorized activities.

🛡️ Prevention

To prevent IcedID infections, regularly update your Windows operating system and third-party applications. Utilize a Gridinsoft Anti-Malware with real-time protection. Exercise caution when clicking on links or downloading attachments, especially from unknown sources. Implement a robust email filtering system to block phishing attempts, and educate users about the risks of social engineering attacks.

References

  1. Gozi and IcedID Trojans Spread via Malvertising
  2. PindOS JavaScript Dropper Distributes Bumblebee and IcedID Malware

Gridinsoft Anti-Malware

Stay Malware-Free: Keep Your PC Protected with Gridinsoft Anti-Malware

Gridinsoft Anti-Malware offers just that—peace of mind with a robust, user-friendly solution that’s constantly updated to combat the latest threats. Designed by cybersecurity experts, it provides real-time protection and effortless malware removal. It’s not just about detecting threats; it's about enhancing your digital life with uninterrupted security. Give it a try and experience what it feels like to browse worry-free!

Gridinsoft Anti-Malware Download Now
Gridinsoft Anti-Malware