More IcedID Command and Control Infrastructure

Icy mountains surrounding a frozen lake

Two weeks ago, a blog post was shared by Martijn Grooten regarding the IcedID malware, in which he published hundreds of domains and IP addresses that were part of IcedID’s command and control infrastructure. Though many of these had been published before, many others had not been publicly linked to the malware.

IcedID has become a crucial component in many cybercrime supply-chains, and it is thus on the radar of many security researchers. Several analyses of IcedID have been published since including ones by Awake and Uptycs as well as two posts on Brad Duncan’s Malware Traffic Analysis blog.

Most of the command and control indicators listed in these posts were already in our list of indicators, which shows once again how one doesn’t always need to analyse active network activity to detect such infrastructure. Because IcedID is still very much active and continues to register new command and control domains, Martijn used the method described in the previous blog post to find many more indicators.

These new indicators have been added to this Github account, which now contains 366 unique domains, 69 unique IP addresses and 495 combinations thereof.

Thank you to John Jensen who contributed to this research.