Safety researchers have seen assault campaigns utilizing two new variants of IcedID, a banking Trojan program that has been used to ship ransomware in recent times. The 2 new variants, considered one of which seems to be linked to the Emotet botnet, are lighter in comparison with the usual one as a result of sure performance has been stripped.
“It’s doubtless a cluster of menace actors is utilizing modified variants to pivot the malware away from typical banking Trojan and banking fraud exercise to deal with payload supply, which doubtless contains prioritizing ransomware supply,” researchers from Proofpoint mentioned in a brand new report. “Moreover, based mostly on artifacts noticed within the codebase, timing, and affiliation with Emotet infections, Proofpoint researchers suspect the preliminary builders of Emotet have partnered with IcedID operators to increase their actions together with utilizing the brand new Lite variant of IcedID that has totally different, distinctive performance and certain testing it through present Emotet infections.”
IcedID is favored by preliminary entry brokers
IcedID first appeared in 2017 and at origin was a Trojan designed to steal on-line banking credentials by injecting rogue content material into native looking periods — an assault often known as webinject. From 2017 till final yr, the Trojan’s codebase remained largely unchanged. Nevertheless, some attacker teams began utilizing it in recent times for its means to function a loader for extra malware payloads than for its financial institution fraud capabilities.
Throughout 2022 and 2023, Proofpoint has seen a whole bunch of assault campaigns utilizing the IcedID Trojan and managed to hyperlink them to 5 distinct menace actors, most of which function as preliminary entry brokers, that means they promote entry into company networks to different cybercriminals, normally ransomware gangs.
A bunch that Proofpoint tracks as TA578 has been utilizing IcedID since June 2020. Its email-based malware distribution campaigns sometimes use lures akin to “stolen photographs” or “copyright violations”. The group makes use of what Proofpoint considers to be the usual variant of IcedID, however has additionally been seen delivering Bumblebee, one other malware loader favored by preliminary entry brokers.
One other group that makes use of the usual IcedID variant is TA551 and has been working since 2018. This group makes use of e-mail thread hijacking methods to distribute malicious Phrase paperwork, PDFs and lately OneNote paperwork. Along with IcedID, TA551 payloads embrace the SVCReady and Ursnif malware packages.
A second group that makes use of e-mail thread hijacking and IcedID is tracked as TA577. This group began utilizing IcedID in 2021 and can also be recognized for distributing Qbot. Throughout 2022, Proofpoint additionally noticed a menace actor it identifies as TA544 that targets organizations in Italy and Japan with IcedID and Ursnif.
IcedID lite and forked variants
Since February, Proofpoint has been monitoring a brand new group dubbed TA581 that makes use of a forked variant of IcedID with the banking fraud performance eliminated, together with the webinjects and backconnect. TA581 is believed to be an preliminary entry facilitator and can also be recognized for utilizing the Bumblebee malware.
The menace actor makes use of business-relevant lures in its e-mail campaigns akin to payroll, buyer data, bill, and order receipts to ship quite a lot of file varieties or malicious URLs. The forked IcedID campaigns particularly used Microsoft OneNote attachments and weird attachments with the .URL extension.
The forked IcedID variant makes use of the usual IcedID payload which contacts a loader command-and-control (C2) server to obtain a DLL after which the forked model of the IcedID trojan with the performance eliminated.
In a single marketing campaign utilizing the forked variant, the attackers use invoice-themed lures requesting affirmation from the recipient. The recipients have been addressed by title and the emails had attachments ending in .one (OneNote information). When opened, these paperwork instructed the recipient to double click on on the “open” button within the doc which as an alternative executed an HTML Utility (HTA) file. This file executed a PowerShell command that loaded the IcedID loader through rundll32’s PluginInit export and in addition opened a decoy PDF file.
In one other marketing campaign, attackers used lures akin to product recall notices associated to the Nationwide Visitors and Motor Automobile Security Act or the U.S. Meals and Drug Administration. These emails contained .URL attachments that, when opened, would launch the default browser and obtain a .bat script. This script would then obtain and execute the IcedID loader utilizing the identical rundll32 approach.
On the identical time, the researchers noticed one other IcedID variant that they name the Lite variant which does not use a C2 server and as an alternative makes use of a hardcoded static URL to obtain a “Bot Pack” file with the title botpack.dat. This file incorporates the loader DLL which then downloads the identical forked and stripped model of the IcedID bot. The distinction with this model is that it additionally would not exfiltrate details about the contaminated machine to the C2 server, because it would not use a C2 server.
The lite variant was noticed in November as a payload from Emotet, a botnet that is additionally used as a malware supply platform and is considered as one of many high threats this yr. Proofpoint attributes Emotet to a bunch it tracks as TA542. It is not clear if the lite variant was created by TA542 or is utilized by considered one of its clients.
“The Lite IcedID variant has solely been noticed following TA542 Emotet infections, however Proofpoint can’t definitively attribute the Lite variant to TA542 as follow-on infections are sometimes outdoors of researchers’ visibility,” the researchers mentioned.
The Proofpoint researchers mentioned that for the reason that IcedID codebase appears to be obtainable to a number of cybercriminals now, they anticipate to see new variants sooner or later. Their report incorporates indicators of compromise for the campaigns seen thus far utilizing the usual, forked and lite variants.
Copyright © 2023 IDG Communications, Inc.
