Three new variants of the IcedID malware are being used by multiple threat actors with code that researchers say has shifted away from launching banking trojans to more of a focus on ransomware.
In a blog post March 27, Proofpoint researchers said that initial analysis suggests it’s a forked (new) version with potentially a separate panel for managing the malware. The researchers said while much of the code base is the same, the threat actors have removed banking functionality, such as web injects and backconnect.
Proofpoint researchers in November 2022 observed the first new variant of IcedID dubbed “IcedID Lite” distributed as a follow-on payload in a TA542 Emotet campaign. The researchers said it was dropped by the Emotet malware soon after the actor recently returned to the cybercrime landscape after a nearly four-month break. Now, the researchers believe the original operators behind Emotet have been using an IcedID variant with different functionality.
IcedID comes from a family similar to Emotet, as it’s a two-stage malware, explained Antony Farrow, senior director of solution architecture at Gurucul. Farrow said two-stage malware behavior patterns are more accessible to identify than a single state, with the intent to load additional malicious code.
“Emotet and IcedID are well-known trojans, more commonly known for stealing banking credentials, and now it's transitioned into a C2 loader providing malicious actors with a much more fluid vehicle,” said Farrow. “We've also seen Emotet use DropBox for the instruction set, an organized way to try and hide external communication."
Craig Burland, chief information security officer at Inversion6, added that Proofpoint’s research comes as unwelcome news for cyber defenders, but again demonstrates cyber criminals acting as digital innovators and savvy entrepreneurs. Burland said the high number of actors and campaigns involving IcedID’s suggests a potent and flexible strain of malware — the kind of tool that lends itself to other uses.
“It’s easy to understand why a malicious actor would leverage the IcedID core to expand their potential pool of targets,” said Burland. “If IcedID has been typecast as banking malware and ignored by other sectors, there’s a large segment of the economy that are potential victims — or new customers in the eyes of the bad actor. It’s naïve to believe malware and cyber criminals will stay in their lane, avoiding use of their best malware and phishing campaigns because an organization is in the ‘wrong’ sector.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, compared banking malware to the flu: every year, it evolves and mutates with the rise of malware-as-a-service. Vishnubhotla said the rapid rate at which malware can infect millions of devices through social engineering and phishing makes it particularly effective on mobile devices.
“The success of Teabot and Flubot are great examples,” said Vishnubhotla. “Consumers ignore the permissions they ask for, which further contributes to their success. To detect and defend themselves against sophisticated banking malware today, banks must integrate in-app runtime protection solutions that leverage machine learning within their mobile applications. Mobile banking apps need to become risk-aware and self-defending as a practical measure.”