New IcedID variants have been found without the usual online banking fraud functionality and instead focus on installing further malware on compromised systems.
According to
Proofpoint, these new variants have been seen used by three distinct threat actors in seven campaigns since late last year, focusing on further payload delivery, most notably ransomware.
Proofpoint has identified two new variants of the IcedID loader, namely “Lite” (first seen in November 2022) and “Forked” (first observed in February 2023), both delivering the same IcedID bot with a more narrow-focused feature set.
Starting in November 2022, the
“Lite” variant of the IcedID loader was delivered as a second-stage payload on systems infected by the newly-returned Emotet malware.
The “Forked” version of the malware loader first appeared in February 2023, distributed directly through thousands of personalized invoice-themed phishing emails.
These messages used Microsoft
OneNote attachments (.one) to execute a malicious HTA file that, in turn, runs a PowerShell command which fetches IcedID from a remote resource. At the same time, the victim is served a decoy PDF.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
