Threat Research

Fork in the Ice: IcedID Malware Analysis | Proofpoint US

Securonix

Proofpoint catalogs three IcedID variants—Standard, Lite, and Forked—and notes a shift from banking-focused activity to payload delivery, including ransomware. It links the Forked variant to Emotet infections and multiple threat actors (TA581, TA578, TA551, TA577, TA544) delivering IcedID with reduced banking functionality. #IcedID #ForkedIcedID #LiteIcedID #Emotet #TA581 #TA578 #TA551 #TA577 #TA544

Keypoints

  • Proofpoint identifies three IcedID variants: Standard, Lite, and Forked.
  • Lite IcedID is described as a loader that does not exfiltrate host data in the loader checkin and acts as a bot with minimal functionality.
  • Forked IcedID, observed since February 2023, is delivered by several campaigns and uses email attachments (including OneNote and URL attachments) to deliver the loader.
  • The Forked variant removes banking functionality such as web injects and backconnect, suggesting a pivot toward payload delivery (including ransomware).
  • TA582/TA581 and other actors are associated with IcedID delivery;TA578, TA551, TA577, TA544 are cited as frequent associates with IcedID campaigns.
  • Campaigns demonstrate diverse delivery chains (HTML attachments, HTA, OneNote, .URL) and multiple C2 configurations, indicating a broader ecosystem around IcedID variants.
  • Proofpoint concludes the IcedID codebase is evolving with two new variants that may be used to facilitate follow-on malware infections alongside Emotet-linked activity.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The campaigns used email attachments including OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID. ‘The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments…’
  • [T1059.001] PowerShell – The loader was downloaded/executed via PowerShell commands embedded in the delivery chain (example: PowerShell downloader sequences). ‘The PowerShell command used to download and execute an IcedID loader.’
  • [T1059.005] Visual Basic Script (VBScript) – VBScript was used to initiate a PowerShell command to download and execute the loader. ‘VBScript which initiated a PowerShell command to download and execute an IcedID loader.’
  • [T1218.011] Rundll32 – The IcedID loader was executed with rundll32 using a non-standard export: PluginInit. ‘rundll32 using a non-standard export: “PluginInit”.’
  • [T1059.001] PowerShell (repeated context) – HTA-driven PowerShell fetch/download sequence. ‘The HTA file initiated a PowerShell command used to download and execute an IcedID loader.’
  • [T1071.001] Web Protocols – The loader C2 communications and updates for the bot occur over HTTP/S endpoints. ‘The IcedID loader connected to the C2 server…’
  • [T1105] Ingress Tool Transfer – Lite Loader downloads the next stage from a hardcoded domain/URI path. ‘The Lite Loader’s purpose is to download the next stage of the malware from a hardcoded domain and URI path.’
  • [T1027] Obfuscated/Compressed Files and Information – Strings are decrypted/obfuscated within theForked Loader and Loader configuration is decrypted. ‘decrypts strings that originally just existed in the Lite Loader.’

Indicators of Compromise

  • [Domain] IcedID loader/C2 domains – ehonlionetodo[.]com, samoloangu[.]com, and additional IcedID-related domains used for loader/bot configuration.
  • [Domain] Involved loader/bot domains – sanoradesert[.]com, steepenmount[.]com, guidassembler[.]com, renomesolar[.]com, palasedelareforma[.]com, noosaerty[.]com (examples of C2/bot domains).
  • [IP] C2 endpoints – 193[.]37[.]69[.]107 and 5[.]61[.]34[.]46 used in passive DNS/C2 activity associated with handsinworld and tourdeworldsport domains.
  • [URL] Staging/Loader URLs – hxxp[://]104[.]156[.]149[.]6/webdav/c2[.]dll (Lite Loader staging); hxxp[://]lepriconloots[.]com/botpackn1[.]dat (Lite Loader/botpack staging); hxxp[://]94[.]131[.]11[.]141/webdav/Labels_FDA_toCheck[.]bat (URL payload).
  • [SHA256] Sample/file hashes – dc51b5dff617f4da2457303140ff1225afc096e128e7d89454c3fa9a6883585c, 7c8b3b8cf2b721568b96f58e5994b8ddb8990cd05001be08631ade7902ae6262, fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe (and other IcedID-related samples listed).
  • [SHA256] Botpack/bot/loader files – 03fdf03c8f0a0768940c793496346253b7ccfb7f92028d3281b6fc75c4f1558e (HTA), 9bf40256fb7f0acac020995a3e9a231d54a6b14bb421736734b5815de0d3ba53 (WSF), 7c8b3b8cf2b7… (Botpackn1.dat).

Read more: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid?utm_source=social_organic&utm_social_network=twitter&utm_campaign=threat_research&utm_post_id=f0afcf84-fcda-487f-9e48-d05eabdbf03d