New Variants of IcedID Malware Loader


New variants of IcedID malware loader

Security researchers have cautioned against the new variants of IcedID malware loader. The IcedID, or BokBot, is a new strain of malware recently discovered in 2017. Its classification is based on a banking and remote access trojan (RAT). 

A banker Trojan is malware that endeavors to steal credentials from a financial institution’s clients or gain access to other types of financial information. A remote access trojan (RAT) is malware enabling a bad actor to remotely control an infected computer. Once the RAT is running, unknowingly to the user, the bad actor can send commands and receive data back in response.

The IcedID malware loader is considered to have abilities comparable to other sophisticated banking Trojans such as Zeus, Gozi, and Dridex. Its capabilities can be alarming. As a banking trojan, IcedID collects login credentials for finance user accounts. IcedID is also capable of dropping malware. While Emotet, a botnet malware, commonly distributes IcedID, it is not the only delivery vector for IcedID.

As a side note, Emotet is a highly sophisticated, self-propagating Trojan. Emotet started its damage as a banking trojan; however, its modular design has allowed it to evolve into a distributor for other types of malware. Emotet is frequently spread through phishing spam emails.


News Preliminary Information: Useful Links to Relevant Content

  • A key point: Useful Links for Pre Information
  1. DNS Security Solutions
  2. Identity Security 
  3. Implementing Network Security


Security researchers from Proofpoint said in a new report.

“A cluster of threat actors is likely using modified variants to pivot the malware away from typical banking Trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery.”

With its research team, Proofpoint has identified multiple IcedID campaigns from 2022 through 2023. Additionally, at least five threat actors have been observed distributing the malware in campaigns since 2022. These five threat actors are TA578, TA551, TA557, TA544, and TA581, which we will highlight soon. Most threat actors and unattributed threat activity clusters use the Standard IcedID variant. 

  • Standard IcedID Variant – This is the variant most observed in the threat landscape and is used by most threat actors. 
  • Lite IcedID Variant – New variant observed as a follow-on payload in November Emotet infections that do not exfiltrate host data in the loader check-in and a bot with minimal functionality. 
  • Forked IcedID Variant – New variant observed by Proofpoint researchers in February 2023 used by a few threat actors, which again delivers the bot with minimal functionality.

At this point, Proofpoint researchers consider most of these bad actors to be initial access brokers facilitating infections leading to ransomware.


  • Threat Actor: TA578

The TA578 has been using IcedID since around the time of June 2020. Its email-based malware distribution campaigns commonly use lures such as “stolen images” or “copyright violations.” The group uses what Proofpoint considers the standard variant of IcedID. However, it has also been seen delivering Bumblebee, another malware loader preferred by initial access brokers. 


  • Threat Actor: TA551

Then we have another group that uses the standard IcedID variant TA551, which has been operating since 2018. This group uses email thread hijacking techniques to distribute malicious Word documents, PDFs, and, newly, OneNote documents. In addition to IcedID, TA551 payloads include the SVCReady and Ursnif malware programs.


  • Threat Actor: TA577

The TA577 has used IcedID in limited campaigns since February 2021. This threat actor uses thread hijacking to deliver malware, with Qbot being TA577’s preferred payload. However, Proofpoint has observed IcedID provided by TA577 in six campaigns since 2022. TA577 uses the Standard IcedID variant.


  • Threat Actor: TA544

The TA544 uses IcedID in limited campaigns throughout 2022. This actor targets organizations in Italy and Japan and typically delivers Ursnif malware. TA544 uses the Standard IcedID variant.


  • Threat Actor: TA581

TA581 is a newly classified threat actor Proofpoint has tracked as an unattributed activity cluster since mid-2022. This actor uses business-relevant themes such as payroll, customer information, invoice, and order receipts to deliver a variety of file types or URLs. TA581 typically delivers IcedID but has been observed using Bumblebee malware and telephone-oriented attack delivery (TOAD) payloads. Additionally, TA581 uses the Forked IcedID variant. The forked IcedID campaigns, in particular, used Microsoft OneNote attachments and unusual attachments with the.URL extension.


  • A final note: What the future holds

Cybercriminals are dedicating significant effort to IcedID and the malware’s codebase. Finally, although IcedID was initially used as a banking trojan, bad actors are more prone than ever to remove the malware’s banking functionality. This has resulted in bad actors moving from using IcedID s banking malware and looking at new avenues to use it as a loader for ransomware and other malicious activities. 

Meanwhile, Proofpoint expects many threat actors to continue using the Standard IcedID variant. At the same time, the Lite and Forked IcedID variants will likely continue to be used in malware attacks.


A Key Point: Additional Information Check 

  1. Brower Isolation
  2. Kubernetes Security Best Practice


network Insight news

F5 New Distributed Cloud with Multi-Cloud Services

F5 New Distributed Cloud with Multi-Cloud Services

Organizations use dispersed application deployments, traversing traditional and modern architectures and multiple hosting environments. Nevertheless, these distributed deployments add operational complexity creating gaps in visibility that will increase the surface area for bad actors to play with. 

Bad actors will get in eventually, and you want to minimize the attack surface as much as possible. F5 covers this with a platform-based approach offering distributed cloud services for networking and security. Specifically, F5 has recently introduced Distributed Cloud App Connect and Distributed Cloud Network Connect, allowing a variety of multi-cloud networking use cases.


News Preliminary Information: Useful Links to Relevant Content

A key point: Additional technical information

  1. GTM Load Balancer
  2. DNS Security Solutions
  3. Load Balancing
  4. Network Visibility 


Distributed Cloud App Connection: 

You can connect and secure modern applications and Application Programming Interfaces (APIs) across cloud locations and types. This service provides app-to-app connectivity and orchestration for workloads distributed across multiple cloud regions, providers, and edge sites. Now we can ensure secure application-layer networking between clouds with granular service and request-level controls for DevOps.

In summary, with Distributed Cloud App Connect, wherever an application is running, regardless of which it needs access to resources hosted on some other domain, everything from networking to visibility to security is connected to the control console provided by F5.


Some of the core capabilities include:

  1. Application networking: Load balancing for TCP, UDP, and HTTP/S requests
  2. Application segmentation: Granular policies to secure endpoint access
  3. End-to-end encryption Native TLS encryption from workload-to-workload
  4. Application security integration Same Distributed Cloud Console for app and API security
  5. Service discovery: Cross-cluster service discovery
  6. Observability: App-level dashboards and metrics
  7. Ingress and egress: Route-based policy enforcement for HTTP and HTTPS traffic


Distributed Cloud Network Connect:

The Distributed Cloud Network Connection lets you quickly and securely network across public clouds, hybrid clouds, and edge sites via an agile SaaS-based service. Now we can have cloud networking across regions or providers, allowing us to connect instances deployed across multiple cloud regions and providers rapidly. Distributed Cloud Network Connect operates at the network level, combining connectivity services from cloud providers, edge environments under a single organizational roof.


Some of the core capabilities include:

  1. Automated provisioning: One-click provisioning for connectivity and security
  2. Integrated services stack: Common routing, segmentation, and access everywhere
  3. Service insertion: Seamless insertion of services like firewalls
  4. Network segmentation: Network isolation across clouds, on-premises, and within the F5 Global Network
  5. End-to-end observability: Full network visibility across clouds and on-premises
  6. SaaS-based: As-a-service for simplified operations and scaling
  7. Private connectivity: Private links and backbone via the F5 Global Network
  8. Application networking integration: Application networking via Distributed Cloud App Connect

Distributed Cloud App Connect and Distributed Cloud Network Connect are now available for any F5 subscription plan under the F5 Distributed Cloud Mesh platform capability.  


F5’s Distributed Cloud Service

F5’s Distributed Cloud Service, which is a SaaS-based solution. That allows capabilities to extend applications, including a range of security and networking services across one or more public clouds. This also may include support for a range of hybrid deployments, native Kubernetes environments, along with edge sites, covering the most common use cases.

The F5 Distributed Cloud Services are delivered via software as a service (SaaS), allowing you to sign up for a free trial or a monthly plan with a credit card—the service(s) will be immediately available. 

There are four main tiers. The first is free; then we have individuals, teams, and finally, organizations. The tier you choose enables different network and security services, with the organization tier offering advanced API support and fast health checks across all locations in under 1 second.

You can also extend your design to create combinations based on your imagination—for example, deploying SD-WAN across two locations and building networks and security policies across these locations and to the public Internet.


The following are the main pillars that they offer:


  • DDoS Mitigation: Mitigate application-based and volumetric distributed denial of service (DDoS) attacks.
  • API Security: Discover API endpoints, allow legitimate transactions, and monitor for anomalous behaviors

Fraud and Risk

Account Protection: Powerful artificial intelligence for fraud protection.

  • Authentication Intelligence: Increase topline digital revenue and improve customer experience by eliminating login friction for legitimate returning consumers.

Muli-Cloud Networking

  • Network Connect: Easily network across cloud locations and providers with simplified provisioning and end-to-end security
  • App Connect: Securely connect distributed workloads across cloud and edge locations with integrated app security

Performance and Reliability

  • DNS: Get a primary or secondary DNS and boost apps’ global performance and resilience across multiple clouds and availability zones.
  • DNS Load Balancer: Simplify cloud-based DNS management and load balancing and get disaster recovery to ease the burden on operations and development teams
  • CDN: Enables rich digital experiences with a high-performing, multi-cloud, and edge-focused CDN that integrates with app security services.


A Key Point: Additional Information Check 

  1. Full Proxy
  2. Distributed Firewalls