Spam Downpour Drips New IcedID Banking Trojan Variant


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have seen a new variant of the IcedID banking trojan sliding in via two new spam campaigns.

Written in English and carrying ZIP files full of the malware – or links to such ZIP files – the new twist on the old banking trojan is a tweaked downloader, which the threat actors moved from the initial x86 version to the latest: an x86-64 version. They also ditched the fake command-and-control (C2s, aka C&Cs) that were found in the earlier configuration and which were likely there to complicate malware analysis, researchers said.

In an advisory posted on Thursday, Kaspersky researchers said that they spied the new spam campaigns – both of which were designed to deliver banking trojans – in mid-March. Most of the payloads the researchers collected were IcedID (Trojan-Banker.Win32.IcedID), but they also came across a few samples of the Qbot banking trojan (Backdoor.Win32.Qbot, aka QakBot).