The banking Trojan program IcedID, which has recently been used to spread ransomware, has two new variations that security experts have observed being utilized in attack campaigns. The two new variations are lighter than the original since certain functionality has been removed, one of which looks to be associated with the Emotet botnet.
In a recent analysis, researchers from Proofpoint revealed that a group of threat actors is probably employing modified variations to divert the malware’s attention from usual banking Trojan and banking fraud activity to payload distribution, which probably prioritizes ransomware delivery.
In addition, Proofpoint researchers believe that the original Emotet developers and the operators of IcedID have partnered to expand their activities. Using the Lite version of new IcedID variants, which has different, unique functionality, and probably testing it via active Emotet infections. Codebase artifacts, timing, and associations with Emotet infections support this hypothesis.
Initial access brokers like IcedID.
By injecting malicious content into local browsing sessions, or “webinject,” an attack, IcedID was originally a Trojan intended to steal online banking credentials when it first surfaced in 2017. The Trojan’s codebase was virtually unaltered between 2017 and last year. Instead of doing bank fraud, some attacker groups began employing it in recent years since it might act as a loader for other malware payloads.
The new IcedID variants Trojan were used in hundreds of attack campaigns between 2022 and 2023, and Proofpoint was able to link them to five different threat actors. The majority of these threat actors act as initial access brokers, which means they provide access to corporate networks to other cybercriminals, most often ransomware gangs.
Since June 2020, a group known as TA578 by Proofpoint has been using new IcedID variants. The organization employs what Proofpoint views as the typical new IcedID variations, but it has also been observed distributing Bumblebee, another malware loader favored by early access brokers. Its email-based malware delivery tactics often include enticements like “stolen photographs” or “copyright infractions.”
TA551, active since 2018, is another organization that uses the common new IcedID variants. This gang employs email thread hijacking techniques to spread infected Word, PDF, and, most recently, OneNote documents. TA551 payloads also contain the malware programs SVCReady and Ursnif in addition to IcedID.
A threat actor known as TA544 that Proofpoint also identified targets enterprises in Italy and Japan with IcedID and Ursnif in 2022. TA577 is a second group that employs IcedID and email thread hijacking. This gang, which is also notorious for disseminating Qbot, began using IcedID in 2021.
Lite and forked versions of IcedID
A new organization known as TA581 that utilizes a forked version of IcedID without the banking fraud capabilities, including the webinjects and backconnect, has been under the surveillance of Proofpoint since February. The Bumblebee malware is also known to be used by TA581, which is thought to be an initial access facilitator.
The threat actor sends a range of file formats or malicious URLs via email campaigns using business-relevant baits, including payroll, customer information, invoices, and order receipts. Microsoft OneNote attachments and odd attachments with the.URL extensions were used, in particular, in the forked IcedID campaigns.
The forked variation of the IcedID Trojan uses the standard IcedID payload to download a DLL from a loader command-and-control (C2) server and then runs the forked IcedID Trojan with functionalities disabled.
Attackers utilize lures with an invoice theme that asks the receiver to confirm in one campaign utilizing the forked variant. The emails featured attachments with a dot-one extension and contained the names of the recipients (OneNote files). When these documents were opened, they instructed the recipient to double-click the document’s “open” button to launch an HTML Application (HTA) file. This file opened a fake PDF file and ran a PowerShell command that loaded the IcedID loader using rundll32’s PluginInit export.
Attackers utilized enticements like product recall warnings from the U.S. Food and Drug Administration in a different effort. There were in these emails. links in attachments that, when clicked, would open the default browser found and download a.bat script. Using the same rundll32 method, this script would then download and run the IcedID loader.
At the same time, the researchers noticed another IcedID variation, which they refer to as the Lite variant. This form downloads a “Bot Pack” file with the name botpack.dat using a hardcoded static URL rather than a C2 server. The forked and stripped-down version of the IcedID bot is downloaded via the loader DLL in this file. As it doesn’t use a C2 server, this version differs in that it also doesn’t exfiltrate data about the infected system to the C2 server.
The lite variation, which is considered one of the top dangers this year, was discovered in November as a payload from the Emotet botnet, which is also utilized as a malware delivery platform. Emotet belongs to the TA542 tracking group, according to Proofpoint. It needs to be clarified whether the lightweight version was developed by TA542 or is a product of one of its users.
The researchers wrote that because follow-on infections are sometimes invisible to researchers, they were unable to conclusively link the Lite IcedID variant to TA542, even though it had only been noticed after TA542 Emotet infections.
Since several hackers appear to have access to the new IcedID variants source at this time, the Proofpoint researchers stated that they anticipate discovering more variants in the future. Indicators of compromise for the campaigns that have been seen thus far using the standard forked and lite variants are included in their report.
Conclusion
The online banking fraud capability has been removed from new IcedID variants, which now concentrate on spreading more malware on victim systems. Since late last year, three different threat actors have reportedly exploited these new variations in seven campaigns, all of which have as their primary objective the transmission of additional payloads, most notably ransomware. The IcedID loader now comes in two new iterations, “Lite” (first spotted in November 2022) and “Forked” (first noticed in February 2023), both of which give the same IcedID bot with a more condensed feature set.
New IcedID variants can be made stealthier and leaner, which can aid threat actors in avoiding detection. It has been used in several malicious campaigns without many code modifications since 2017. Beginning in November 2022, systems compromised by the recently resurrected Emotet virus would receive the “Lite” version of the IcedID loader as a second-stage payload. In February 2023, the “Forked” variant of the malware loader first surfaced and was widely disseminated using phishing emails with a customized invoice style.
These communications employed malicious HTA files that, in turn, ran PowerShell commands to fetch IcedID from a remote resource via Microsoft OneNote attachments (.one). The victim also receives a PDF that is fake at the same moment. At the end of February, Proofpoint researchers noticed a low-volume effort spreading IcedID “Forked” through phony warnings from the U.S. Food and Drug Administration and the National Traffic and Motor Vehicle Safety Act.
