New IcedID variants found without the usual bank fraud feature. Instead, they appear to be aiming to install additional malware on infected devices.
Proofpoint has specified two new versions of the IcedID loader, named “Lite” and “Forked” and both ship the same IcedID bot with a more focused feature set.
IcedID is a modular trojan that made its appearance in 2017, and since then it’s proven itself to be one the most notorious pieces of malware. In this blog we will briefly touch on the different IcedID campaigns we have been tracking including:
- Malicious OneNote campaign
- .url files using webdav protocol campaign
- Thumbcache viewer campaign
- HTML smuggling campaigns
As of November 2022, the “Lite” version of the IcedID loader was sent as a second part of the payload to systems infected with the known Emote malware.
In late February, Proofpoint researchers observed a low-volume campaign distributing IcedID “Forked” via fake alerts from the National Highway Traffic and Motor Vehicle Safety Act and the US Food and Drug Administration (FDA).
The “Forked” IcedID loader is quite similar to the “Standard” version in terms of its role, sending basic host information to C2 and then retrieving the IcedID bot.
However, “Forked” uses a different file type (COM Server) and has additional domain and string decryption code, making the payload 12KB larger than the “Standard” version.
The “Forked” version of the IcedID bot is 64KB smaller than the “Standard” bot and is essentially the same malware minus the online injection system, AiTM features and backconnect capabilities that give hackers remote access to infected devices.