BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Malicious revolution: IcedID changes tactics and becomes even more dangerous

    Learn about dangerous changes to IcedID and how to protect yourself from new threats.

    Proofpoint recently discovered new variants of IcedID malware. They do not feature IcedID's typical online banking fraud features, instead focusing on installing additional malware on compromised systems.

    Since the end of last year, new variants of IcedID have reportedly been used by 3 independent groups of attackers in attacks on 7 different campaigns. All attacks were aimed at delivering payloads, primarily ransomware.

    Proofpoint has identified two new variants of the IcedID bootloader: "Lite" (first appeared in November 2022) and "Forked" (first appeared in February 2023). Both loaders differ from the older versions of IcedID in their functionality and the modified payload delivery method.

    Removing unnecessary features in IcedID, which has been used in numerous malware campaigns without significant changes since 2017, makes malware more inconspicuous and compact, which can help attackers evade detection.

    Starting in November 2022, the "Lite" variant of the IcedID bootloader was delivered as a stage two payload after the device was infected with another notorious malware, Emotet.

    The "forked" version of the downloader first appeared in February 2023 and was distributed directly through thousands of personalized phishing emails with fake tax documents. These attacks used Microsoft OneNote attachments with the ".one" extension. The attachments were used to execute a malicious ".hta" file, which in turn launched PowerShell. Through it, IcedID itself was loaded from a remote resource. And the victim saw before his eyes only a PDF-bait, not noticing the background malicious activity.

    In late February, Proofpoint researchers observed a small-scale IcedID "Forked" campaign through fake email notifications from US agencies NHTSA and the FDA. As Proofpoint points out, while some attackers are using the new variants of the IcedID bootloaders, others still choose to deploy the standard variant, with one of the latest such campaigns recorded earlier this month.

    The "Forked" IcedID loader is very similar to the "Standard" version in terms of its role: sending basic host information to the C2 server and then getting the IcedID body itself. However, it uses a different file type and has an additional domain and string decryption code, making the payload 12 KB larger than the standard version. The "Lite" bootloader is 20 KB lighter and does not pass host information to the C2 server, as it is usually deployed in conjunction with Emotet, which itself profiles the compromised system.

    The "Forked" version of the IcedID bot itself is 64 KB smaller than the "Standard" version of the bot, and is basically the same malware minus the web injection system, AiTM (man in the middle) features, and the reverse connectivity capabilities that attackers have remote access to infected devices.

    The IcedID is typically used by attackers for initial access to the target device. The development of new variants is a worrying sign that indicates a shift towards bot specialization for payload delivery.

    Proofpoint predicts that the majority of attackers will continue to use the "Standard" version of the IcedID bootloader, but the deployment of newer versions will also increase, and more bootloader options may come later this year.

    Author DeepWeb
    New HinataBot botnet uses vulnerabilities in network equipment to carry out DDoS attacks
    Grouping BianLian excluded encryption from the chain of attacks

    Comments 0

    Add comment