• United States



CSO Senior Writer

Researchers warn of two new variants of potent IcedID malware loader

News Analysis
Mar 27, 20235 mins

The new IcedID variants are likely used for ransomware delivery, and researchers expect new variants to emerge.

Security researchers have seen attack campaigns using two new variants of IcedID, a banking Trojan program that has been used to deliver ransomware in recent years. The two new variants, one of which appears to be connected to the Emotet botnet, are lighter compared to the standard one because certain functionality has been stripped.

“It is likely a cluster of threat actors is using modified variants to pivot the malware away from typical banking Trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery,” researchers from Proofpoint said in a new report. “Additionally, based on artifacts observed in the codebase, timing, and association with Emotet infections, Proofpoint researchers suspect the initial developers of Emotet have partnered with IcedID operators to expand their activities including using the new Lite variant of IcedID that has different, unique functionality and likely testing it via existing Emotet infections.”

IcedID is favored by initial access brokers

IcedID first appeared in 2017 and at origin was a Trojan designed to steal online banking credentials by injecting rogue content into local browsing sessions — an attack known as webinject. From 2017 until last year, the Trojan’s codebase remained largely unchanged. However, some attacker groups started using it in recent years for its ability to serve as a loader for additional malware payloads than for its bank fraud capabilities.

During 2022 and 2023, Proofpoint has seen hundreds of attack campaigns using the IcedID Trojan and managed to link them to five distinct threat actors, most of which operate as initial access brokers, meaning they sell access into corporate networks to other cybercriminals, usually ransomware gangs.

A group that Proofpoint tracks as TA578 has been using IcedID since June 2020. Its email-based malware distribution campaigns typically use lures such as “stolen images” or “copyright violations”. The group uses what Proofpoint considers to be the standard variant of IcedID, but has also been seen delivering Bumblebee, another malware loader favored by initial access brokers.

Another group that uses the standard IcedID variant is TA551 and has been operating since 2018. This group uses email thread hijacking techniques to distribute malicious Word documents, PDFs and recently OneNote documents. In addition to IcedID, TA551 payloads include the SVCReady and Ursnif malware programs.

A second group that uses email thread hijacking and IcedID is tracked as TA577. This group started using IcedID in 2021 and is also known for distributing Qbot. During 2022, Proofpoint also observed a threat actor it identifies as TA544 that targets organizations in Italy and Japan with IcedID and Ursnif.

IcedID lite and forked variants

Since February, Proofpoint has been tracking a new group dubbed TA581 that uses a forked variant of IcedID with the banking fraud functionality removed, including the webinjects and backconnect. TA581 is believed to be an initial access facilitator and is also known for using the Bumblebee malware.

The threat actor uses business-relevant lures in its email campaigns such as payroll, customer information, invoice, and order receipts to deliver a variety of file types or malicious URLs. The forked IcedID campaigns in particular used Microsoft OneNote attachments and unusual attachments with the .URL extension.

The forked IcedID variant uses the standard IcedID payload which contacts a loader command-and-control (C2) server to download a DLL and then the forked version of the IcedID trojan with the functionality removed.

In one campaign using the forked variant, the attackers use invoice-themed lures requesting confirmation from the recipient. The recipients were addressed by name and the emails had attachments ending in .one (OneNote files). When opened, these documents instructed the recipient to double click on the “open” button in the document which instead executed an HTML Application (HTA) file. This file executed a PowerShell command that loaded the IcedID loader via rundll32’s PluginInit export and also opened a decoy PDF file.

In another campaign, attackers used lures such as product recall notices related to the National Traffic and Motor Vehicle Safety Act or the U.S. Food and Drug Administration. These emails contained .URL attachments that, when opened, would launch the default browser and download a .bat script. This script would then download and execute the IcedID loader using the same rundll32 technique.

At the same time, the researchers observed another IcedID variant that they call the Lite variant which doesn’t use a C2 server and instead uses a hardcoded static URL to download a “Bot Pack” file with the name botpack.dat. This file contains the loader DLL which then downloads the same forked and stripped version of the IcedID bot. The difference with this version is that it also doesn’t exfiltrate information about the infected machine to the C2 server, since it doesn’t use a C2 server.

The lite variant was observed in November as a payload from Emotet, a botnet that’s also used as a malware delivery platform and is viewed as one of the top threats this year. Proofpoint attributes Emotet to a group it tracks as TA542. It’s not clear if the lite variant was created by TA542 or is used by one of its customers.

“The Lite IcedID variant has only been observed following TA542 Emotet infections, but Proofpoint cannot definitively attribute the Lite variant to TA542 as follow-on infections are typically outside of researchers’ visibility,” the researchers said.

The Proofpoint researchers said that since the IcedID codebase seems to be available to multiple cybercriminals now, they expect to see new variants in the future. Their report contains indicators of compromise for the campaigns seen so far using the standard, forked and lite variants.