IcedID Takes a New Turn: New Variants Prioritize Payload Delivery

Taking it Lite

• The first variant is named Lite, which was observed in November 2022 and was delivered as a second-stage payload on systems infected by Emotet malware.
• It uses a hardcoded static URL to download a “Bot Pack” file with the name botpack.dat, which contains the loader DLL. 
• The Lite variant does not use a C2 server and, therefore, does not exfiltrate information about the infected machine to the C2 server.

And then it gets Forked

• Since February, the new TA581 threat group has been using a Forked version of IcedID that lacks the banking fraud functionality, such as web injects and backconnect. 
• Instead, TA581 appears to be an initial access broker and is known to use the Bumblebee malware.
• In particular, the Forked IcedID campaigns use Microsoft OneNote attachments and unusual attachments with the .URL extension to lure victims.
• Unlike Lite, It uses the standard IcedID payload, which contacts a C2 server to download a DLL.

Why this matters

• The researchers surmise that a cluster of threat actors is employing customized versions of IcedID to shift the malware's focus from traditional banking trojan and fraud operations toward delivering payloads, with a possible emphasis on ransomware distribution.
• Furthermore, by analyzing the codebase, timeline, and correlation with Emotet infections, researchers speculate that the original creators of Emotet may have teamed up with IcedID operators to broaden their operations.
• This partnership may involve experimenting with the Lite variant that possesses distinctive and innovative features, and is presumably being tested via current Emotet infections.

The bottom line