This devious malware looks like it has a whole load of new tricks up its sleeve
New IcedID variants shift from bank fraud to malware delivery
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Two new variants of the infamous IcedIDmalwarehave been spotted, however both are lacking certain distinctive features, making security experts curious as to their purpose.
Cybersecurity researchers from Proofpointrevealedsince February, they have been tracking two versions of IcedID, one called “Lite”, and the other called “Forked”.
Both come without the usual online banking fraud features, instead supposedly working more as a dropper for more elaborate campaigns.
Stealth malware tactics
Proofpoint says that it’s seen at least three different hacking groups using these two versions across seven campaigns since late last year. Apparently, these groups have been using IcedID as a stepping stone towardransomwareinfections.
Why exactly threat actors decided to strip IcedID of its unique features remains unclear, but some reports have suggested that removing “unneeded” functions makes it stealthier and leaner, helping cybercriminals stay hidden for longer.
The way IcedID is delivered to victims also differs. In some cases, the attackers would distributephishingemails withMicrosoftOneNote attachments. In other cases, they’d useEmotet.
The researchers noted that the existence of two new variants does not mean the original malware is no longer being used.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
As recently as March 10, 2023, some threat actors still choose to deploy what Proofpoint calls the “Standard” variant. The researchers believe most threat actors will still opt for the standard variant, even though Lite and Forked might gain some popularity this year.
This phishing attack hijacks email chains to power up an ancient botnet>This sneaky Microsoft Excel malware could put your organization at risk of attack>These are the best firewalls right now
IcedID is an old, modular banking trojan, usually used to deploy stage-two malware. So far, cybersecurity researchers have seen it used in countless campaigns, mostly used by access brokers to obtain, and later sell, access to high-value networks and endpoints.
One such group was TA551, a threat actor with no concrete ties to any nation-state. The group was seen selling access obtained via IcedID last April.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
