Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

IcedID Malware Shifts Focus from Banking Fraud to Ransomware Delivery

Mar 28, 2023Ravie LakshmananRansomware / Endpoint Security

IcedID Malware

Multiple threat actors have been observed using two new variants
of the IcedID malware[1]
in the wild with more limited functionality that removes
functionality related to online banking fraud.

IcedID, also known as BokBot, started off as a banking trojan in
2017. It’s also capable of delivering additional malware, including
ransomware.

“The well-known IcedID version consists of an initial loader
which contacts a Loader [command-and-control] server, downloads the
standard DLL Loader, which then delivers the standard IcedID Bot,”
Proofpoint said[2]
in a new report published Monday.

One of the new versions is a Lite variant that was previously highlighted[3]
as being dropped as a follow-on payload by the Emotet malware[4]
in November 2022. Also newly observed in February 2023 is a Forked
variant of IcedID.

Both these variants are designed to drop what’s called a Forked
version of IcedID Bot that leaves out the web injects and
backconnect functionality that would typically be used for banking
fraud, the enterprise security firm noted.

“It is likely a cluster of threat actors is using modified
variants to pivot the malware away from typical banking trojan and
banking fraud activity to focus on payload delivery, which likely
includes prioritizing ransomware delivery,” Proofpoint noted.

The February campaign has been tied to a new group christened
TA581, with the threat actor distributing the Forked variant using
weaponized Microsoft OneNote attachments. Another malware used by
TA581 is the Bumblebee loader[5].

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT[6]

In all, the Forked IcedID variant has been employed in seven
different campaigns to date, some of which have been undertaken by
initial access brokers (IABs).

The use of existing Emotet infections to deliver the Lite
variant has raised the possibility of a potential partnership
between Emotet developers and IcedID operators.

“While historically IcedID’s main function was a banking trojan,
the removal of banking functionality aligns with the overall
landscape shift away from banking malware and an increasing focus
on being a loader for follow-on infections, including ransomware,”
the researchers said.

Found this article interesting? Follow us on Twitter [7]
and LinkedIn[8]
to read more exclusive content we post.

References

  1. ^
    IcedID
    malware     (thehackernews.com)
  2. ^
    said
    (www.proofpoint.com)
  3. ^
    previously highlighted
    (thehackernews.com)
  4. ^
    Emotet
    malware     (thehackernews.com)
  5. ^
    Bumblebee loader
    (thehackernews.com)
  6. ^
    RESERVE YOUR SEAT
    (thn.news)
  7. ^
    Twitter
     (twitter.com)
  8. ^
    LinkedIn
    (www.linkedin.com)

Read more