Learn about dangerous changes to IcedID and how to protect yourself from new threats.
Proofpoint recently discovered new variants of IcedID malware. They do not feature IcedID's typical online banking fraud features, instead focusing on installing additional malware on compromised systems.
Since the end of last year, new variants of IcedID have reportedly been used by 3 independent groups of attackers in attacks on 7 different campaigns. All attacks were aimed at delivering payloads, primarily ransomware.
Proofpoint has identified two new variants of the IcedID bootloader: "Lite" (first appeared in November 2022) and "Forked" (first appeared in February 2023). Both loaders differ from the older versions of IcedID in their functionality and the modified payload delivery method.
Removing unnecessary features in IcedID, which has been used in numerous malware campaigns without significant changes since 2017, makes malware more inconspicuous and compact, which can help attackers evade detection.
Starting in November 2022, the "Lite" variant of the IcedID bootloader was delivered as a stage two payload after the device was infected with another notorious malware, Emotet.
The "forked" version of the downloader first appeared in February 2023 and was distributed directly through thousands of personalized phishing emails with fake tax documents. These attacks used Microsoft OneNote attachments with the ".one" extension. The attachments were used to execute a malicious ".hta" file, which in turn launched PowerShell. Through it, IcedID itself was loaded from a remote resource. And the victim saw before his eyes only a PDF-bait, not noticing the background malicious activity.
In late February, Proofpoint researchers observed a small-scale IcedID "Forked" campaign through fake email notifications from US agencies NHTSA and the FDA. As Proofpoint points out, while some attackers are using the new variants of the IcedID bootloaders, others still choose to deploy the standard variant, with one of the latest such campaigns recorded earlier this month.
The "Forked" IcedID loader is very similar to the "Standard" version in terms of its role: sending basic host information to the C2 server and then getting the IcedID body itself. However, it uses a different file type and has an additional domain and string decryption code, making the payload 12 KB larger than the standard version. The "Lite" bootloader is 20 KB lighter and does not pass host information to the C2 server, as it is usually deployed in conjunction with Emotet, which itself profiles the compromised system.
The "Forked" version of the IcedID bot itself is 64 KB smaller than the "Standard" version of the bot, and is basically the same malware minus the web injection system, AiTM (man in the middle) features, and the reverse connectivity capabilities that attackers have remote access to infected devices.
The IcedID is typically used by attackers for initial access to the target device. The development of new variants is a worrying sign that indicates a shift towards bot specialization for payload delivery.
Proofpoint predicts that the majority of attackers will continue to use the "Standard" version of the IcedID bootloader, but the deployment of newer versions will also increase, and more bootloader options may come later this year.