A new variant of the IcedID banking trojan has been discovered that spreads via two new spam campaigns. These campaigns are hitting more than 100 detections a day.

What happened?

In mid-March, researchers from Kaspersky observed two new spam campaigns, in which the messages were written in English and had ZIP attachments or links leading to ZIP files.
  • The first campaign, named DotDat, was spreading ZIP attachments that claimed to be some sort of compensation claims or canceled operation with the names in a specific format.
  • The ZIP archives include a malicious MS Excel file with the same name. It downloads a malicious payload via a macro from a URL with the following format [host]/[digits].[digits].dat and runs it.
  • In the second campaign, spam emails included links to hacked websites with malicious archives named documents[.]zip0, doc-XX[.]zip, document-XX[.]zip where XX stands for two random digits.
  • Similar to the first campaign, the archives included an Excel file with a macro that downloaded the IcedID downloader. This spam campaign peaked in March and by April it slowed down.

The IcedID malware

IcedID consists of two parts: a downloader that sends some user information to the C&C and receives the main body, and the main body that is distributed as a shellcode hidden into a PNG image.
  • Moreover, IcedID authors changed the downloader. In the new version, attackers moved from x86 to an x86-64 version and removed fake C2s from the configuration.
  • In March, the largest number of users targeted by Ligooc (IcedID downloader) were spotted in China (15.88%), India (11.59%), Italy (10.73%), the U.S. (10.73%), and Germany (8.58%).


Along with increased infection attempts, IcedID operators made some modifications to the downloader as well. This suggests that attackers are improving and probably coming up with a new plan to target users globally. The best way to stay protected from such threats is to stay alert while receiving emails from unknown senders.

Cyware Publisher