nuclei-templates/ssl/c2/icedid.yaml

26 lines
1.6 KiB
YAML

id: icedid
info:
name: IcedID Infrastructure - Detect
author: pussycat0x
severity: info
description: |
IcedID, also known as BokBot, is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions. Once it successfully completes its initial attack, it uses the stolen information to take over banking accounts and automate fraudulent transactions. IcedID is primarily dropped as a secondary payload from other malware, most notably Emotet, in addition to its own malspam campaigns. IcedID uses multiple injection methods to evade antivirus and other malware detection methods, such as injecting itself into operating system (OS) memory and regular processes. The malware authors are known to update IcedID to increase persistence and evade new detection efforts.
metadata:
verified: "true"
max-request: 1
censys-query: CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
tags: c2,ir,osint,malware,ssl,bokbot,icedid
ssl:
- address: "{{Host}}:{{Port}}"
matchers:
- type: word
part: subject_dn
words:
- "O=Internet Widgits Pty Ltd, ST=Some-State, C=AU, CN=localhost"
extractors:
- type: json
json:
- ".subject_dn"
# digest: 490a0046304402202fc1d12f8822e8687ab2113bdde2da59da96e161838d477cbdfb4595319e2a320220213cba259b8962e888d1cd4efe61e38218d53efb5749f6282aa4908336b4bf4c:922c64590222798bb761d5b6d8e72950