An email campaign has been discovered to be using malicious Excel attachments and Excel 4 macros to deliver the IcedID trojan. The trojan shares some similarities with Emotet and originally was used to steal financial information. The trojan is now used as a dropper for other malware.
The new campaign
According to researchers at Uptycs, the trojan has been spreading at an increasingly high rate and volume, due to a spate of email campaigns using Microsoft Excel spreadsheet file attachments.
- In the first three months of this year, more than 15,000 HTTP requests from more than 4,000 malicious documents were flagged, and 93% were Microsoft Excel spreadsheets using the extensions .XLSM or .XLS.
- If the malicious file is opened, the targets would be asked to enable content to view the message. Enabling the content leads to the execution of embedded Excel 4 macro formulas.
- The XLSM supports embedding of Excel 4.0 macro. Therefore, this functionality is abused to embed arbitrary commands, which downloads a malicious payload from the URL with the use of formulas in the document.
- The documents used in the recent campaign contained business-related subjects, such as overdue, claim or complaint, and compensation claim, with a random series of numbers.
Recent activity of IcedID trojan
Since the global takedown effort to stop Emotet, a massive increase has been observed in IcedID infection. The trojan is active and being used as a dropper to spread other malicious threats in various campaigns.
- Recently, IcedID has been reported to be used by the UNC2198 threat group in Maze and Egregor ransomware operations.
- In January TA551 was observed pushing IcedID malware in an email-based malware distribution campaign.
IcedID is highly efficient in doing its job of dropping other malware, which has been a huge pressure for security teams. As its operators keep getting smarter, it can be said that they will continue improving their malware, making it more sophisticated and deadly. Therefore security teams are required to take immediate steps to keep a check on the IceID malware before it causes any havoc.