Several threat actors have been observed in the wild using two new variants of the IcedID malware. This variant has more limited functionality that removes features related to online banking fraud.
IcedID, also known as BokBot, emerged as a banking Trojan in 2017. It can also deliver additional malware such as ransomware.
“The well-known IcedID version consists of an initial loader that connects to the loader. [command-and-control] The server downloads a standard DLL loader and delivers a standard IcedID bot,” Proofpoint said in a new report published Monday.
One of the new versions is the Lite variant previously highlighted to be dropped as a subsequent payload by the Emotet malware in November 2022. Also newly observed in February 2023 is a forked variant of IcedID.
Both of these variants are designed to drop what they call a Forked version of the IcedID bot, leaving out the web injection and back-connect capabilities typically used for bank fraud, said the enterprise security firm. points out.
According to Proofpoint, “Threat actor clusters have been modified to keep malware away from typical banking Trojan and banking fraud campaigns and to focus on delivering payloads, including prioritizing ransomware delivery.” They may be using variants.”
The February campaign has been linked to a new group dubbed TA581, where threat actors distribute Forked variants using weaponized Microsoft OneNote attachments. Another malware used by TA581 is the Bumblebee loader.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Overall, the Forked IcedID variant has been used in seven different campaigns so far, some of which are run by Initial Access Brokers (IABs).
Leveraging existing Emotet infections to deliver Lite variants has increased the potential for potential partnerships between Emotet developers and IcedID operators.
“Historically, the primary function of IcedID has been a banking Trojan, but the removal of banking functionality has moved away from banking malware and increasingly focused on its role as a loader for subsequent infections, including ransomware. It’s consistent with the overall situation,” said the researchers.
