www.bleepingcomputer.com Open in urlscan Pro
104.20.60.209  Public Scan

Form analysis
0 forms found in the DOM

Text Content

User Consent Prompt
Focus Prompt

☰ ×
 * News ▾ ▸
   * Security
   * Microsoft
   * Software
   * Ransomware
   * Hardware
   * Technology
   * Linux
   * Mobile
   * Google
 * Tutorials
 * Virus Removal
 * Forums
 * Deals
 * Downloads
 * More ▾ ▸
   * Startup Database
   * Uninstall Database
   * Glossary
   * Chat on Discord
   * Send us a Tip!
   * Welcome Guide

Close the sidebar


NEW ICEDID VARIANTS SHIFT FROM BANK FRAUD TO MALWARE DELIVERY


By

BILL TOULAS

 * March 27, 2023
 * 03:25 PM

New IcedID variants have been found without the usual online banking fraud
functionality and instead focus on installing further malware on compromised
systems.

According to Proofpoint, these new variants have been seen used by three
distinct threat actors in seven campaigns since late last year, focusing on
further payload delivery, most notably ransomware.



Proofpoint has identified two new variants of the IcedID loader, namely “Lite”
(first seen in November 2022) and “Forked” (first observed in February 2023),
both delivering the same IcedID bot with a more narrow-focused feature set.

Removing unneeded functions on IcedID, which has been deployed in numerous
malicious campaigns without many code changes since 2017, makes it stealthier
and leaner, which can help the threat actors evade detection.

Separate clusters of IcedID activity (Proofpoint)


NEW ICEDID CAMPAIGNS

Starting in November 2022, the “Lite” variant of the IcedID loader was delivered
as a second-stage payload on systems infected by the newly-returned Emotet
malware.

The “Forked” version of the malware loader first appeared in February 2023,
distributed directly through thousands of personalized invoice-themed phishing
emails.

These messages used Microsoft OneNote attachments (.one) to execute a malicious
HTA file that, in turn, runs a PowerShell command which fetches IcedID from a
remote resource. At the same time, the victim is served a decoy PDF.


Malicious OneNote attachment used in recent campaign (Proofpoint)

At the end of February, Proofpoint’s researchers observed a low-volume campaign
distributing IcedID “Forked” via fake notices from the National Traffic and
Motor Vehicle Safety Act and the U.S. Food and Drug Administration (FDA).

It is important to note that while some threat actors use new variants of the
IcedID malware, others still choose to deploy the “Standard” variant, with one
of the most recent campaigns dating March 10, 2023.


THE NEW VARIANTS

The “Forked” IcedID loader is quite similar to the “Standard” version in terms
of its role, sending basic host info to the C2 and then fetching the IcedID
bot. 

However, “Forked” uses a different file type (COM Server) and features
additional domain and string-decryption code, making the payload 12KB larger
than the “Standard” version.


Domains decryption (Proofpoint)

On the other hand, the “Lite” loader variant is lighter, at 20KB, and does not
exfiltrate host info to the C2. This change makes sense since it was deployed
alongside Emotet, which had already profiled the breached system.

The “Forked” version of the IcedID bot is 64KB smaller than the “Standard” bot,
and is basically the same malware minus the web injects system, the AiTM
(adversary in the middle) functions, and the backconnect capabilities that give
threat actors remote access to infected devices.

Standard and Forked bot comparison (Proofpoint)

IcedID is generally used for initial access by threat actors, so developing new
variants is a worrying sign, signifying a shift towards specializing the bot to
payload delivery.

Proofpoint predicts that most threat actors will continue to use the “Standard”
variant, but the deployment of new IcedID versions will likely grow, and more
variants may pop up later in 2023.






RELATED ARTICLES:

How to prevent Microsoft OneNote files from infecting Windows with malware

Emotet malware distributed as fake W-9 tax forms from the IRS

Emotet malware now distributed in Microsoft OneNote files to evade defenses

Microsoft OneNote to get enhanced security after recent malware abuse

Emotet malware attacks return after three-month break

 
 * Emotet
 * IcedID
 * Malware
 * Malware Loader
 * OneNote
 * Phishing


View Comments
Popular Stories

 * New MacStealer macOS malware steals passwords from iCloud Keychain

 * New Microsoft Teams is twice as fast, available for all in June


Ad


About Us - Terms of Use - Privacy Policy - Ethics Statement Do Not Sell My Info
Privacy Settings

Copyright @ 2003 - 2023 Bleeping Computer® LLC - All Rights Reserved