diff --git a/ssl/c2/icedid.yaml b/ssl/c2/icedid.yaml new file mode 100644 index 0000000000..e61500e183 --- /dev/null +++ b/ssl/c2/icedid.yaml @@ -0,0 +1,26 @@ +id: icedid + +info: + name: IcedID Infrastructure - Detect + author: pussycat0x + severity: info + description: | + IcedID, also known as BokBot, is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions. Once it successfully completes its initial attack, it uses the stolen information to take over banking accounts and automate fraudulent transactions. IcedID is primarily dropped as a secondary payload from other malware, most notably Emotet, in addition to its own malspam campaigns. IcedID uses multiple injection methods to evade antivirus and other malware detection methods, such as injecting itself into operating system (OS) memory and regular processes. The malware authors are known to update IcedID to increase persistence and evade new detection efforts. + metadata: + verified: "true" + censys-query: "CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd" + tags: c2,ir,osint,malware,bokbot,trojan + +ssl: + - address: "{{Host}}:{{Port}}" + + matchers: + - type: word + part: subject_dn + words: + - "O=Internet Widgits Pty Ltd, ST=Some-State, C=AU, CN=localhost" + + extractors: + - type: json + json: + - ".subject_dn"