It has recently the Microsoft 365 Defender Threat Intelligence Team has detected that malicious actors are deploying the IcedID info-stealer malware via authentic corporate contact forms to trap victims in phishing campaigns.
The IcedID banking Trojan:
The IcedID malware is a modular banking malware that has been in malware operations since at least 2017.
To the unaware, modular malware is a sophisticated type of attack that launches in stages and adapts itself by inspecting the victim’s environment and security defenses.
The particular IcedID modular banking trojan has been updated to also deploy second-stage malware payloads, including Trickbot, Qakbot, and the Ryuk ransomware.
In this peculiar case, the malware has been evidently attacking organizations and enterprises with lawsuits by using legitimate contact forms to deploy the IcedID malware.
Mal-abilities of the malware:
The malware perpetrators can potentially exploit the IcedID infected device to download supplementary malware modules, exfiltrate sensitive data including credit cards and other financial details.
It can also move laterally into the infected device’s network and systems to exploit more devices by deploying payloads.
Microsoft 365 Defender Threat Intelligence Team analysis:
The phishing campaign that was being utilized to spread the malware was detected by the Microsoft 365 Defender Threat Intelligence Team.
Detailing the IcedID malware, they have observed that the malware can bypass the contact forms CAPTCHA protection to flood enterprises with an onslaught of phishing emails.
“This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections,” noted the Microsoft threat analysis.
By employing the phishing method to spread the malware, the malicious actors can evade an organization’s email security gateways thus improving the likelihood that the phishing email will reach a target’s inbox instead of getting flagged and sent to the spam folder.
If not the above method, the malicious actors also threaten victim enterprises with probable legal actions for copyright infringements to make them click on malicious, integrated links that route them to IcedID payloads.
When a victim receives such a ‘legal notice’ via email, they are instructed to click on the malicious link to review the “evidence” for the copyright claim and are redirected to Google Sites-hosted website that they use to deliver the IcedID malware.
Victims are subsequently instructed to log into their respective Google accounts to view the actual evidence.
Once logged in, an archive containing a heavily obfuscated .js-based downloader is downloaded on their computers.
An IcedID payload and a Cobalt Strike beacon are then downloaded on the victim’s device using WScript and Powershell.
The Microsoft analysis also provides that such a phishing campaign can spread not only the IcedID malware but can also “be used to distribute a wide range of other malware, which can, in turn, introduce other threats to the enterprise.”
Other security experts are of the opinion that IcedID has shown an evident surge in mal-activities since the successful disruption of Emotet’s network back in January 2021.