Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IceID. Show all posts

IcedID: A New Era with 'Lite and Fork' Malware

 

Proofpoint, a cybersecurity research firm, recently discovered two new variants of the IcedID malware namely "Lite" and "Forked." The original IcedID malware has been around since 2017 and is commonly used by cybercriminals, but these new versions were only seen for the first time in late 2022 and early 2023. 

The Lite IcedID Variant was first discovered in November 2022 in a malware campaign found to be distributed as a follow-up payload in a malware campaign known as TA542 Emotet. Unlike other malware campaigns that aim to steal sensitive data, the Emotet campaign primarily delivers the Lite version of the IcedID Bot. 

This Lite variant, however, lacks certain important features that are typically used for banking fraud. Despite this, the IcedID Lite still poses a significant threat as it can be used to deliver other types of malware, such as ransomware, and can compromise the security of a victim's computer system. 

On the other hand, the Forked IcedID Variant was first seen in February 2023 and it has been used in seven different campaigns. This variant is similar to the original IcedID in that it downloads from a server, but it also has some similarities to the Lite version. 

IcedID is a type of malware that was originally designed to steal banking information and is also capable of facilitating the installation of other types of malware, such as ransomware, into a victim's computer. 

According to the data, it was first discovered in 2017, and since then, there has been only one version of it that remained unchanged. This particular variant of IcedID includes an initial loader that communicates with a Loader C2 server and then downloads a standard DLL Loader, which ultimately installs the IcedID Bot into the targeted computer. 

Furthermore, the company found out that IcedID malware has been used in numerous campaigns by threat actors between 2022 and 2023. At least five different groups have been directly distributing the malware in these campaigns. The majority of the threat actors have been identified as initial access brokers, whose primary goal is to facilitate infections that lead to ransomware attacks. 

While most of the threat actors are using the standard IcedID variant, researchers at Proofpoint have found evidence of modified versions being used by a particular group of actors who appear to be shifting their focus away from banking fraud and toward delivering malicious payloads, potentially including ransomware. This suggests that the group is attempting to expand its criminal activities and become more versatile in its tactics.

Furthermore, based on the timing and association with Emotet infections, Proofpoint researchers suspect that the creators of Emotet have partnered with IcedID operators to expand their activities. This partnership may include testing the new Lite variant of IcedID through existing Emotet infections.