This devious malware looks like it has a whole load of new tricks up its sleeve

Unlocked padlock on a computer keyboard
(Image credit: Unsplash / Fly:D)

Two new variants of the infamous IcedID malware have been spotted, however both are lacking certain distinctive features, making security experts curious as to their purpose.

Cybersecurity researchers from Proofpoint revealed since February, they have been tracking two versions of IcedID, one called “Lite”, and the other called “Forked”. 

Both come without the usual online banking fraud features, instead supposedly working more as a dropper for more elaborate campaigns.

Stealth malware tactics

Proofpoint says that it’s seen at least three different hacking groups using these two versions across seven campaigns since late last year. Apparently, these groups have been using IcedID as a stepping stone toward ransomware infections.

Why exactly threat actors decided to strip IcedID of its unique features remains unclear, but some reports have suggested that removing “unneeded” functions makes it stealthier and leaner, helping cybercriminals stay hidden for longer.

The way IcedID is delivered to victims also differs. In some cases, the attackers would distribute phishing emails with Microsoft OneNote attachments. In other cases, they’d use Emotet.

The researchers noted that the existence of two new variants does not mean the original malware is no longer being used.

As recently as March 10, 2023, some threat actors still choose to deploy what Proofpoint calls the “Standard” variant. The researchers believe most threat actors will still opt for the standard variant, even though Lite and Forked might gain some popularity this year.

IcedID is an old, modular banking trojan, usually used to deploy stage-two malware. So far, cybersecurity researchers have seen it used in countless campaigns, mostly used by access brokers to obtain, and later sell, access to high-value networks and endpoints. 

One such group was TA551, a threat actor with no concrete ties to any nation-state. The group was seen selling access obtained via IcedID last April.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.