Researchers have spotted three new variants of the IcedID malware are being used by multiple threat actors with their codes shifted away from launching banking trojans to more of a focus on ransomware.
A new version with potentially a separate panel for managing the malware. While much of the code base is the same, the threat actors have removed banking functionality, such as web injects and back connect.
The first new variant of IcedID dubbed “IcedID Lite” distributed as a follow-on payload in a TA542 Emotet campaign. This was dropped by the Emotet malware soon after the actor recently returned to the cybercrime landscape after a nearly four-month break.
During 2022 and 2023, researchers has seen hundreds of attack campaigns using the IcedID Trojan and managed to link them to five distinct threat actors.
- A group that Proofpoint tracks as TA578 has been using IcedID since June 2020. Its email-based malware distribution campaigns typically use lures such as stolen images or copyright violations.
- Another group, TA551 and has been operating since 2018. This group uses email thread hijacking techniques to distribute malicious Word documents, PDFs and recently OneNote documents. TA551 payloads include the SVCReady and Ursnif malware programs.
- Another group uses email thread hijacking and IcedID is tracked as TA577. This group started using IcedID in 2021 and is also known for distributing Qbot.
- A threat actor it identifies as TA544 that targets organizations in Italy and Japan with IcedID and Ursnif.
With this, the researchers strongly believe the original operators behind Emotet have been using an IcedID variant with different functionality. IcedID comes from a family like Emotet, as it’s a two-stage malware, the behavior patterns are more accessible to identify than a single state, with the intent to load additional malicious code.
Emotet and IcedID are well-known trojans, more commonly known for stealing banking credentials, and now it’s transitioned into a C2 loader providing malicious actors with a much more fluid vehicle.
The high number of actors and campaigns involving IcedID’s suggests a potent and flexible strain of malware — the kind of tool that lends itself to other uses.
This research was documented by researchers from Proofpoint