Three new variants of the banking Trojan known as IcedID have been discovered in the wild, featuring a common code base but with several key differences.
Security researchers at Proofpoint described the malware samples in an advisory published earlier today, which names them Standard, Lite and Forked IcedID variants respectively.
The first variant is the most commonly observed in the wild and was first discovered in 2017. This Standard variant contains an initial loader that contacts a Loader command and control (C2) server and downloads a DLL Loader, which then delivers the IcedID bot.
Read more on IcedID here: FBI Issues Ransomware Group Flash Alert
The IcedID Lite variant, on the other hand, was discovered by Proofpoint in November 2022 as part of an Emotet campaign by TA542.
“[It]contains a static URL to download a ‘Bot Pack’ file with a static name [...] which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the web injects and back connect functionality that would typically be used for banking fraud,” reads the advisory, written by Pim Trouerbach, Kelsey Merriman and Joe Wise.
The third variant observed by the team was discovered in a series of seven campaigns in February 2023.
“This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators,” wrote Trouerbach, Merriman and Wise. “The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.”
According to the security researchers, the IcedID Forked Loader observed in February 2023 is more similar to the Standard IcedID Loader as it contacts a Loader C2 server to fetch both the DLL loader and the bot.
“That DLL loader has similar artifacts to the Lite Loader and also loads the Forked IcedID Bot,” they explained.
According to Proofpoint, the new variants hint that considerable effort is going into the future of IcedID and its codebase.
“While historically IcedID’s main function was a banking Trojan, the removal of banking functionality aligns with the overall landscape shift away from banking malware and an increasing focus on being a loader for follow-on infections, including ransomware,” the advisory concludes.“While many threat actors will continue to use the Standard variant, it is likely the new variants will continue to be used to facilitate additional malware attacks.”