New variants of IcedID malware loader
Security researchers have cautioned against the new variants of IcedID malware loader. The IcedID, or BokBot, is a new strain of malware recently discovered in 2017. Its classification is based on a banking and remote access trojan (RAT).
A banker Trojan is malware that endeavors to steal credentials from a financial institution’s clients or gain access to other types of financial information. A remote access trojan (RAT) is malware enabling a bad actor to remotely control an infected computer. Once the RAT is running, unknowingly to the user, the bad actor can send commands and receive data back in response.
The IcedID malware loader is considered to have abilities comparable to other sophisticated banking Trojans such as Zeus, Gozi, and Dridex. Its capabilities can be alarming. As a banking trojan, IcedID collects login credentials for finance user accounts. IcedID is also capable of dropping malware. While Emotet, a botnet malware, commonly distributes IcedID, it is not the only delivery vector for IcedID.
As a side note, Emotet is a highly sophisticated, self-propagating Trojan. Emotet started its damage as a banking trojan; however, its modular design has allowed it to evolve into a distributor for other types of malware. Emotet is frequently spread through phishing spam emails.
- A key point: Useful Links for Pre Information
Security researchers from Proofpoint said in a new report.
“A cluster of threat actors is likely using modified variants to pivot the malware away from typical banking Trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery.”
With its research team, Proofpoint has identified multiple IcedID campaigns from 2022 through 2023. Additionally, at least five threat actors have been observed distributing the malware in campaigns since 2022. These five threat actors are TA578, TA551, TA557, TA544, and TA581, which we will highlight soon. Most threat actors and unattributed threat activity clusters use the Standard IcedID variant.
- Standard IcedID Variant – This is the variant most observed in the threat landscape and is used by most threat actors.
- Lite IcedID Variant – New variant observed as a follow-on payload in November Emotet infections that do not exfiltrate host data in the loader check-in and a bot with minimal functionality.
- Forked IcedID Variant – New variant observed by Proofpoint researchers in February 2023 used by a few threat actors, which again delivers the bot with minimal functionality.
At this point, Proofpoint researchers consider most of these bad actors to be initial access brokers facilitating infections leading to ransomware.
- Threat Actor: TA578
The TA578 has been using IcedID since around the time of June 2020. Its email-based malware distribution campaigns commonly use lures such as “stolen images” or “copyright violations.” The group uses what Proofpoint considers the standard variant of IcedID. However, it has also been seen delivering Bumblebee, another malware loader preferred by initial access brokers.
- Threat Actor: TA551
Then we have another group that uses the standard IcedID variant TA551, which has been operating since 2018. This group uses email thread hijacking techniques to distribute malicious Word documents, PDFs, and, newly, OneNote documents. In addition to IcedID, TA551 payloads include the SVCReady and Ursnif malware programs.
- Threat Actor: TA577
The TA577 has used IcedID in limited campaigns since February 2021. This threat actor uses thread hijacking to deliver malware, with Qbot being TA577’s preferred payload. However, Proofpoint has observed IcedID provided by TA577 in six campaigns since 2022. TA577 uses the Standard IcedID variant.
- Threat Actor: TA544
The TA544 uses IcedID in limited campaigns throughout 2022. This actor targets organizations in Italy and Japan and typically delivers Ursnif malware. TA544 uses the Standard IcedID variant.
- Threat Actor: TA581
TA581 is a newly classified threat actor Proofpoint has tracked as an unattributed activity cluster since mid-2022. This actor uses business-relevant themes such as payroll, customer information, invoice, and order receipts to deliver a variety of file types or URLs. TA581 typically delivers IcedID but has been observed using Bumblebee malware and telephone-oriented attack delivery (TOAD) payloads. Additionally, TA581 uses the Forked IcedID variant. The forked IcedID campaigns, in particular, used Microsoft OneNote attachments and unusual attachments with the.URL extension.
- A final note: What the future holds
Cybercriminals are dedicating significant effort to IcedID and the malware’s codebase. Finally, although IcedID was initially used as a banking trojan, bad actors are more prone than ever to remove the malware’s banking functionality. This has resulted in bad actors moving from using IcedID s banking malware and looking at new avenues to use it as a loader for ransomware and other malicious activities.
Meanwhile, Proofpoint expects many threat actors to continue using the Standard IcedID variant. At the same time, the Lite and Forked IcedID variants will likely continue to be used in malware attacks.