New versions of IcedID no longer possess the capability for unusual online banking fraud. It concentrates on spreading more malware on compromised systems.

According to the cybersecurity website, since late last year, three different hackers have used these new variants in seven operations. Moreover, all these operations have as their primary objective; the distribution of additional payloads, most notably ransomware.

The IcedID launcher now comes in two new iterations “Lite” and “Forked”. “Lite” was first observed in November 2022 and “Forked” was first noticed in February 2023. The security service website claims both versions offer the same IcedID bot with a more condensed feature set.

IcedID can be made stealthier and leaner, which can aid threat players in avoiding discovery. It has been used in numerous malicious operations without many code modifications since 2017.

A fresh IcedID promotion

A second-stage payload of IcedID was delivered to compromised systems in November 2022 by the recently resurrected Emotet ransomware.

In February 2023, the “Forked” variant of the malware launcher first surfaced. Furthermore, it was widely disseminated by phishing emails with a customized billing motif rendering email security issues everywhere.

These communications employed malicious HTA files. They in turn ran PowerShell commands to retrieve IcedID from an external resource using Microsoft Office 365 tool OneNote attachments. The target also receives a PDF that is fake at the same moment.

Researchers at the online security website noticed that IcedID “Forked” was distributed using false notifications from the U.S. FDA and the NHTSA.

The “Standard” version of the IcedID malware is still deployed by some threat actors, although one of their most recent campaigns dates from March 10, 2023. This is essential to keep in mind.

The novel varieties

The “Forked” version of the IcedID loader bears a striking resemblance to the “Standard” version. They have similar functionality, transmitting basic host data to the C2 and then getting the IcedID bot.

However, “Forked” has a payload that is 12KB bigger than “Standard”. It is due to the use of a different file format (COM Server) and the inclusion of domain and string-decryption code.

The “Lite” launcher version, on the other hand, is 20KB lighter and does not leak host information to the C2. Given that it was installed alongside Emotet, which had already profiled the compromised system, this move makes logic.

The “Forked” IcedID bot is 64 KB smaller than the “Standard” bot. It is essentially the same malware as the “Standard” bot. However, except for the web injects system, the AiTM features, and the backconnect capabilities that allow cybercriminals to remotely access compromised devices.

Considering that threat actors typically use IcedID for initial access, the emergence of new versions is concerning. As it suggests a change in the bot’s focus from initial access to payload delivery.

According to Proofpoint experts, most threat actors are expected to continue using the “Standard” variation. How new IcedID versions are expected to be deployed more frequently and additional varieties may appear later in 2023.