Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This devious malware looks like it has a whole load of new tricks up its sleeve

Unlocked padlock on a computer keyboard

Two new variants of the infamous IcedID malware have been spotted, however both are lacking certain distinctive features, making security experts curious as to their purpose.

Cybersecurity researchers from Proofpoint revealed since February, they have been tracking two versions of IcedID, one called “Lite”, and the other called “Forked”. 

Both come without the usual online banking fraud features, instead supposedly working more as a dropper for more elaborate campaigns.

Stealth malware tactics

Proofpoint says that it’s seen at least three different hacking groups using these two versions across seven campaigns since late last year. Apparently, these groups have been using IcedID as a stepping stone toward ransomware infections.

Why exactly threat actors decided to strip IcedID of its unique features remains unclear, but some reports have suggested that removing “unneeded” functions makes it stealthier and leaner, helping cybercriminals stay hidden for longer.

The way IcedID is delivered to victims also differs. In some cases, the attackers would distribute phishing emails with Microsoft OneNote attachments. In other cases, they’d use Emotet.

The researchers noted that the existence of two new variants does not mean the original malware is no longer being used.

As recently as March 10, 2023, some threat actors still choose to deploy what Proofpoint calls the “Standard” variant. The researchers believe most threat actors will still opt for the standard variant, even though Lite and Forked might gain some popularity this year.

IcedID is an old, modular banking trojan, usually used to deploy stage-two malware. So far, cybersecurity researchers have seen it used in countless campaigns, mostly used by access brokers to obtain, and later sell, access to high-value networks and endpoints. 

One such group was TA551, a threat actor with no concrete ties to any nation-state. The group was seen selling access obtained via IcedID last April.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.