Two new variants of the infamous IcedID malware have been spotted, however both are lacking certain distinctive features, making security experts curious as to their purpose.
Cybersecurity researchers from Proofpoint revealed since February, they have been tracking two versions of IcedID, one called “Lite”, and the other called “Forked”.
Both come without the usual online banking fraud features, instead supposedly working more as a dropper for more elaborate campaigns.
Stealth malware tactics
Proofpoint says that it’s seen at least three different hacking groups using these two versions across seven campaigns since late last year. Apparently, these groups have been using IcedID as a stepping stone toward ransomware infections.
Why exactly threat actors decided to strip IcedID of its unique features remains unclear, but some reports have suggested that removing “unneeded” functions makes it stealthier and leaner, helping cybercriminals stay hidden for longer.
The way IcedID is delivered to victims also differs. In some cases, the attackers would distribute phishing emails with Microsoft OneNote attachments. In other cases, they’d use Emotet.
The researchers noted that the existence of two new variants does not mean the original malware is no longer being used.
As recently as March 10, 2023, some threat actors still choose to deploy what Proofpoint calls the “Standard” variant. The researchers believe most threat actors will still opt for the standard variant, even though Lite and Forked might gain some popularity this year.
IcedID is an old, modular banking trojan, usually used to deploy stage-two malware. So far, cybersecurity researchers have seen it used in countless campaigns, mostly used by access brokers to obtain, and later sell, access to high-value networks and endpoints.
One such group was TA551, a threat actor with no concrete ties to any nation-state. The group was seen selling access obtained via IcedID last April.
- Check out the best endpoint protection out there