A new variant of the IcedID banking trojan has been discovered that spreads via two new spam campaigns. These campaigns are hitting more than 100 detections a day.
What happened?
In mid-March, researchers from Kaspersky observed two new spam campaigns, in which the messages were written in English and had ZIP attachments or links leading to ZIP files.
- The first campaign, named DotDat, was spreading ZIP attachments that claimed to be some sort of compensation claims or canceled operation with the names in a specific format.
- The ZIP archives include a malicious MS Excel file with the same name. It downloads a malicious payload via a macro from a URL with the following format [host]/[digits].[digits].dat and runs it.
- In the second campaign, spam emails included links to hacked websites with malicious archives named documents[.]zip0, doc-XX[.]zip, document-XX[.]zip where XX stands for two random digits.
- Similar to the first campaign, the archives included an Excel file with a macro that downloaded the IcedID downloader. This spam campaign peaked in March and by April it slowed down.
The IcedID malware
IcedID consists of two parts: a downloader that sends some user information to the C&C and receives the main body, and the main body that is distributed as a shellcode hidden into a PNG image.
- Moreover, IcedID authors changed the downloader. In the new version, attackers moved from x86 to an x86-64 version and removed fake C2s from the configuration.
- In March, the largest number of users targeted by Ligooc (IcedID downloader) were spotted in China (15.88%), India (11.59%), Italy (10.73%), the U.S. (10.73%), and Germany (8.58%).
Conclusion
Along with increased infection attempts, IcedID operators made some modifications to the downloader as well. This suggests that attackers are improving and probably coming up with a new plan to target users globally. The best way to stay protected from such threats is to stay alert while receiving emails from unknown senders.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e5b4_shutterstock_645221908.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0526_shutterstock_1367090597.jpg)
