Although IcedID was originally discovered back in 2017, it did not gain in popularity until the latter half of 2020. We have now analyzed a couple ransomware cases in 2021 (Sodinokibi & Conti) that used IcedID as the initial foothold into the environment.
In June, we saw another threat actor utilize IcedID to download Cobalt Strike, which was used to pivot to other systems in the environment. Similar to the Sodinokibi case, anti-virus (AV) slowed down the attackers. AV frustrated them to the point they temporarily left the environment. Eleven days later, activity returned to the environment with more Cobalt Strike beacons, which they used to pivot throughout the domain using WMI. The threat actors, however, remained unable or unwilling to complete their final objectives.