QBot malware is making a comeback replacing IcedID in Malspam campaigns. Security researchers have noticed that malware distributors are once again rotating the payload, switching between Trojans which is an intermediary stage in a long transition chain. In one case, Tango appears to be with QBot and IcedID, two banking Trojans that are often seen delivering various ransomware strains as the final payload in an attack.
In February, IcedID was a new malware coming from URLs that served QBot. Brad Duncan of Palo Alto Networks spotted the changes and noted in his analysis at the time:
“HTTPS URL ends with /ds/2202.gif, generated by Excel macro, which would normally distribute cacobet, but today it delivered IcedID”.
James Quinn, a threat researcher at Binary Defense also makes the same observation in a blog post in March, as the company unearthed a new IcedID/BokBot variant while tracking a malicious spam campaign from a QakBot distributor.
IcedID was first discovered as a banking trojan in 2017 and soon adjusted its functionality for malware delivery. It has been seen in the past distributing Ransom eXX, Labyrinth, and Aggregor Ransomware. After a gap of about a month and a half, the malware distributor switched the payload back to QBot (aka QakBot), which has been seen in the past delivering ProLock, Egregor, and DoppelPaymer ransomware.
Malware Researcher and Reverse Engineer reecDeep was the one that noticed the specific switch on Monday, concluding the fact that campaign update relies on XLM macros. Analysis from both binary defense and Brad Duncan on the switch of a malware distributor to deliver IcedID in February 2021 has seen the same trick.
Recently, security researchers at the threatening intelligence firm Intel 471 published details about Ettersilent creating a malicious document, which shows its continued development and ability to bypass multiple security mechanisms (Windows Defender, AMSI, email services).
A feature of the tool is that it can design malicious documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption. According to Intel 471, many cybercriminal groups have started using Ettersilent services including IcedID, QakBot, Ursnif, and Trickbot.