Multiple threat actors have been observed using two new variants of the IcedID malware in the wild with more limited functionality that removes functionality related to online banking fraud.
IcedID, also known as BokBot, started off as a banking trojan in 2017. It’s also capable of delivering additional malware, including ransomware.
“The well-known IcedID version consists of an initial loader which contacts a Loader [command-and-control] server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot,” Proofpoint said in a new report published Monday.
One of the new versions is a Lite variant that was previously highlighted as being dropped as a follow-on payload by the Emotet malware in November 2022. Also newly observed in February 2023 is a Forked variant of IcedID.
Both these variants are designed to drop what’s called a Forked version of IcedID Bot that leaves out the web injects and backconnect functionality that would typically be used for banking fraud, the enterprise security firm noted.
“It is likely a cluster of threat actors is using modified variants to pivot the malware away from typical banking trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery,” Proofpoint noted.
The February campaign has been tied to a new group christened TA581, with the threat actor distributing the Forked variant using weaponized Microsoft OneNote attachments. Another malware used by TA581 is the Bumblebee loader.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.
In all, the Forked IcedID variant has been employed in seven different campaigns to date, some of which have been undertaken by initial access brokers (IABs).
The use of existing Emotet infections to deliver the Lite variant has raised the possibility of a potential partnership between Emotet developers and IcedID operators.
“While historically IcedID’s main function was a banking trojan, the removal of banking functionality aligns with the overall landscape shift away from banking malware and an increasing focus on being a loader for follow-on infections, including ransomware,” the researchers said.