Thawing IcedID Out through a DNS Analysis
The current threat landscape continuously proves that the theory of evolution also applies to malware. The latest proof? IcedID, which went from being a run-of-the-mill banking trojan to a ransomware dropper.
More than 50 IP addresses and domains were publicly listed1, 2, 3, 4 as IcedID indicators of compromise (IoCs). WhoisXML API researchers subjected them to a DNS intelligence analysis to uncover more connected artifacts, including:
- Five unredacted email addresses historically used to register some of the domains identified as IoCs
- 44 domains registered using some of the registrant email addresses
- 22 domains resolving to IP addresses tagged as IoCs
- 33 domains sharing the same IP resolutions as some of the domains classified as IoCs
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2
-  https://otx.alienvault.com/pulse/64cb26ac4990112e3f9e662f
-  https://otx.alienvault.com/pulse/64c5cf320a92c0bdc8ab9068
-  https://otx.alienvault.com/pulse/6401246d57e5b0d2ff1c6c58