Three new variants of banking Trojans known as IcedID have actually been discovered. It features a common code base, but has some important differences.
Security researchers at Proofpoint described malware samples in an advisory published earlier today, naming them Standard, Lite, and Forked IcedID variants respectively.
The first variant is actually the most commonly observed and was first discovered in 2017. This standard variant includes an initial loader that connects to the loader’s command and control (C2) server and downloads a DLL loader, which delivers the IcedID bot.
Read more about IcedID here: FBI Issues Flash Alert for Ransomware Group
Meanwhile, a variant of IcedID Lite was discovered by Proofpoint in November 2022 as part of an Emotet campaign by TA542.
“[It]Contains a static URL to download a statically named “Bot Pack” file […] The result is an IcedID Lite DLL loader that delivers a forked version of the IcedID Bot, excluding web injection and backconnect functionality typically used for bank fraud,” Pim Trouerbach, Kelsey Merriman, and Joe ·wise.
A third variant observed by the team was discovered in February 2023 in a series of seven campaigns.
“This variant was distributed by TA581 and one unexplained threat activity cluster that acted as the facilitator of the initial access,” wrote Trouerbach, Merriman, and Wise. “The campaign used a variety of email attachments, including Microsoft OneNote attachments and rarely seen .URL attachments, which led to the creation of forked variants of IcedID.”
According to security researchers, the IcedID fork loader seen in February 2023 is more similar to the standard IcedID loader as it connects to the loader C2 server to fetch both the DLL loader and the bot.
“That DLL loader has similar artifacts to the Lite loader and also loads a forked IcedID bot,” they explained.
According to Proofpoint, the new variant suggests that considerable effort is being put into the future of IcedID and its codebase.
“Historically, IcedID’s primary function has been a banking Trojan, but the removal of banking functionality has moved away from banking malware and increasingly focused on its role as a loader for subsequent infections, including ransomware. consistent with the overall situation,” concludes the advisory. New variants may continue to be used to facilitate additional malware attacks, as many attackers will continue to use the standard variant. ”
