New evidence has revealed that multiple cybercriminals are using two recent variants of the IcedID malware, which have limited functionality and do not include functions related to online banking fraud. According to a Monday publication by Proofpoint, the well-known IcedID version consists of an initial loader that contacts a loader server and downloads the standard DLL Loader to deliver the standard IcedID Bot.
In 2017, IcedID was documented as a banking trojan that could deliver other malware known as BokBot. In November 2022, a lighter variant appeared as a follow-up payload from Emotet malware, while in February 2023, a modified version of IcedID emerged. According to Proofpoint’s analysis of both recent malware versions, the design encourages deploying a forked IcedID Bot that can omit web injects and back-connect functionality, which helps in banking fraud.
A group known as TA581 has been identified as responsible for spreading the Forked variant during the February campaign. Despite confirmation of involvement by several cyber criminals in using the new variants, the group is believed to be pivoting the malware away from typical banking trojan and banking fraud activity to focus on payload delivery, including prioritizing ransomware delivery. The group employs a weaponized Microsoft OneNote attachment to aid the process and uses other malware, including the Bumblebee loader.
The researcher’s report has verified a change in the focus of malware, as stated: “In the past, IcedID primarily functioned as a banking trojan, but the removal of its banking capabilities reflects the overall trend away from banking malware and towards prioritizing its role as a loader for subsequent infections, such as ransomware.” Additionally, new findings suggest that the Lite variant of the malware is being distributed through pre-existing Emotet, leading to speculation about a potential collaboration between the developers of Emotet and the operators of IcedID.