A pair of threat groups are using a new variant of the pernicious IcedID malware in various email campaigns that began in February and employ Microsoft OneNote and other attachment types to drop the trojan.
IcedID has been in circulation for six years and many different threat actors have used it in that time, and it’s often seen in the same intrusions as the Emotet malware. The IcedID malware itself began as a banking trojan but has evolved over time to become more of a general purpose stealer. Until recently, there has been just one version of IcedID, but researchers have identified a new variant that has some of the same features and behaviors of the classic version, but has a smaller footprint and is only used by two threat groups thus far. Researchers at Proofpoint uncovered the new variant, which they’re calling IcedID Forked, last month and has seen it in a small number of campaigns.
“To date, Proofpoint has uncovered seven campaigns using the Forked IcedID variant. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID,” the researchers said in a post.
“As far as behavior is concerned, the Forked Loader functions the same as the Standard Loader. The goal is to send host info to the loader C2, then to gate the bot download. This gating mechanism is to ensure that only truly infected machines get the bot binary vs researchers or malware sandboxes. If the checks are passed, the C2 will return the encrypted bot and DLL loader which is where the real capabilities of the botnet emerge. The differences come within the binary itself by how the code is/was structured and how they obfuscate the sample.”
The use of Microsoft OneNote attachments in the IcedID Forked campaigns mimics what other threat actors have been doing with the classic IcedID malware for the last few months. While many attack groups have employed malicious Office documents for years as a delivery mechanism for malware, when Microsoft last year began blocking macros by default in Office, it forced attackers to move to other options. OneNote has emerged as a favorite replacement for Office docs in the last year or so, and the actors employing the IcedID Forked variant have adopted this tactic.
Though IcedID first emerged as a banking trojan, the newer versions have eliminated the functionality that is used to steal banking information and have instead evolved to become conduits for other pieces of malware.
“Proofpoint anticipates that while many threat actors will continue to use the Standard variant, it is likely the new variants will continue to be used to facilitate additional malware attacks,” the researchers said.