It seems that this cunning malware has a whole bunch of new tricks up its sleeve
Two new variants of the infamous IcedID malware have been discovered, but both lack certain distinctive features, making security experts curious about their purpose.
Cybersecurity researchers from Proofpoint revealed (opens in a new tab) since February, they have been tracking two versions of IcedID, one called “Lite” and the other called “Forked”.
Both are devoid of typical online banking scam features, instead allegedly acting more as a dropper for more elaborate campaigns.
Hidden malware tactics
Proofpoint says that since late last year, at least three different hacker groups have used the two versions in seven campaigns. Apparently, these groups use IcedID as a stepping stone towards ransomware infections.
It is unclear why cybercriminals decided to strip IcedID of its unique features, but some reports suggest that removing “unnecessary” features makes it more stealthy and leaner, helping cybercriminals stay hidden longer.
The way IcedID is delivered to victims also varies. In some cases, attackers distributed phishing emails with Microsoft OneNote attachments. In other cases, they would use Emotet.
The researchers noted that the existence of two new variants does not mean that the original malware is no longer in use.
As late as March 10, 2023, some cybercriminals still choose to implement what Proofpoint calls the “standard” variant. Researchers believe that the majority of cybercriminals will still choose the standard variant, even though Lite and Forked may gain popularity this year.
IcedID is an old, modular banking Trojan typically used to deploy stage two malware. So far, cybersecurity researchers have seen it used in countless campaigns, mostly used by access brokers to obtain and then sell access to high-value networks and endpoints.
One such group was TA551, a cybercriminal group that has no specific ties to any nation state. The group was seen selling access obtained through IcedID last April.