Several attackers have been observed utilizing two fresh strains of the IcedID malware in real-life scenarios, but their capabilities are more restricted, as they remove functions linked to fraud associated with online banking.
Originally functioning as a banking trojan, IcedID, or BokBot to some, emerged in 2017. It has the ability to transmit other kinds of malware such as ransomware.
According to a report published by Proofpoint on Monday, the popular IcedID variant involves a first-stage loader that connects with a Loader command-and-control server, downloads the typical DLL Loader, and subsequently distributes the normal IcedID Bot.
A Lite version, which was once identified as a subsequent element of the Emotet malware in November 2022, is now available as a new version. Additionally, a Forked version of IcedID was recently discovered in February 2023.
According to an enterprise security firm, both of these versions are intended to release a modified form of IcedID Bot, referred to as Forked, which omits the web injects and backconnect features that are commonly utilized for banking fraud.
According to Proofpoint, there may be a group of hackers using altered versions of malware in order to shift their focus from customary banking scams and frauds to payload distribution, with a preference for distributing ransomware.
TA581 is a newly identified group that is associated with the February campaign. This group is using weaponized Microsoft OneNote attachments to distribute the Forked variant of malware. In addition, TA581 is also using the Bumblebee loader as another type of malware.
So far, the Forked IcedID variant has been used in seven different campaigns, some of which were carried out by initial access brokers (IABs).
There is a chance that the creators of Emotet and the operators of IcedID are working together since the Lite version has been distributed through existing Emotet infections.
The researchers stated that although IcedID had previously been used primarily as a banking trojan, recent changes indicate a shift away from targeting banks and towards acting as a loader for other types of malware, such as ransomware. This reflects a larger trend in the digital landscape away from banking-related malware.