A new variant of the IcedID banking trojan has been discovered that spreads via two new spam campaigns. These campaigns are hitting more than 100 detections a day.
In mid-March, researchers from Kaspersky observed two new spam campaigns, in which the messages were written in English and had ZIP attachments or links leading to ZIP files.
The first campaign, named DotDat, was spreading ZIP attachments that claimed to be some sort of compensation claims or canceled operation with the names in a specific format.
The ZIP archives include a malicious MS Excel file with the same name. It downloads a malicious payload via a macro from a URL with the following format [host]/[digits].[digits].dat and runs it.
In the second campaign, spam emails included links to hacked websites with malicious archives named documents[.]zip0, doc-XX[.]zip, document-XX[.]zip where XX stands for two random digits.
Similar to the first campaign, the archives included an Excel file with a macro that downloaded the IcedID downloader. This spam campaign peaked in March and by April it slowed down.
The IcedID malware
IcedID consists of two parts: a downloader that sends some user information to the C&C and receives the main body, and the main body that is distributed as a shellcode hidden into a PNG image.
Moreover, IcedID authors changed the downloader. In the new version, attackers moved from x86 to an x86-64 version and removed fake C2s from the configuration.
In March, the largest number of users targeted by Ligooc (IcedID downloader) were spotted in China (15.88%), India (11.59%), Italy (10.73%), the U.S. (10.73%), and Germany (8.58%).
Along with increased infection attempts, IcedID operators made some modifications to the downloader as well. This suggests that attackers are improving and probably coming up with a new plan to target users globally. The best way to stay protected from such threats is to stay alert while receiving emails from unknown senders.