"Three Variants of IcedID Malware Discovered"

Security researchers at Proofpoint have discovered three new variants of the banking Trojan known as IcedID in the wild, featuring a common code base but with several key differences.  The first variant is the most commonly observed in the wild and was first discovered in 2017.  This standard variant contains an initial loader that contacts a Loader command and control (C2) server and downloads a DLL Loader, which then delivers the IcedID bot.  The researchers noted that the IcedID Lite variant was discovered by them in November 2022 as part of an Emotet campaign by TA542.  It contains a static URL to download a "Bot Pack" file with a static name which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the web injects and back connect functionality that would typically be used for banking fraud.  The researchers stated that the third variant observed by the team was discovered in a series of seven campaigns in February 2023.  This variant was distributed by TA581 and one unattributed threat activity cluster, which acted as initial access facilitators.  The researchers noted that the campaigns used a variety of email attachments, such as Microsoft OneNote attachments, and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.  According to the security researchers, the IcedID Forked Loader observed in February 2023 is more similar to the Standard IcedID Loader as it contacts a Loader C2 server to fetch both the DLL loader and the bot.   That DLL loader has similar artifacts to the Lite Loader and also loads the Forked IcedID Bot.  According to Proofpoint, the new variants hint that considerable effort is going into the future of IcedID and its codebase.

Infosecurity reports: "Three Variants of IcedID Malware Discovered"