cracking ice

Fork in the Ice: The New Era of IcedID

Share with your network!

Key Findings

  • Proofpoint is tracking new variants of IcedID used by at least three threat actors.
  • Initial analysis suggests this is a forked version with potentially a separate panel for managing the malware.
  • While much of the code base is the same, there are several key differences.
  • One key difference is the removal of banking functionality such as web injects and backconnect.
  • Proofpoint researchers hypothesize the original operators behind Emotet are using an IcedID variant with different functionality.

Overview

Proofpoint researchers have observed and documented, for the first time, three distinct variants of the malware known as IcedID. Proofpoint calls the two new variants recently identified “Forked” and “Lite” IcedID. This report details the following variants of IcedID:

  • Standard IcedID Variant – The variant most commonly observed in the threat landscape and used by a variety of threat actors.
  • Lite IcedID Variant – New variant observed as a follow-on payload in November Emotet infections that does not exfiltrate host data in the loader checkin and a bot with minimal functionality.
  • Forked IcedID Variant – New variant observed by Proofpoint researchers in February 2023 used by a small number of threat actors which also delivers the bot with minimal functionality.

IcedID is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware.  As previously published, historically there has been just one version of IcedID that has remained constant since 2017. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot.

In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed “IcedID Lite” distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.

The IcedID Lite Loader observed in November 2022 contains a static URL to download a “Bot Pack” file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.

Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. To date, Proofpoint has uncovered seven campaigns using the Forked IcedID variant. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID. 

The IcedID Forked Loader, first observed in February 2023, is more similar to the Standard IcedID Loader in that it contacts a Loader C2 server to retrieve the DLL loader and bot. That DLL loader has similar artifacts to the Lite Loader, and also loads the Forked IcedID Bot.

The following picture shows the high-level overview of the various IcedID variants Proofpoint researchers have identified.

image-20230329165543-1Figure  1: Overview of the three IcedID variants.

Threat Actor Details

Proofpoint has identified hundreds of IcedID campaigns from 2022 through 2023, and at least five threat actors were observed directly distributing this malware in campaigns since 2022. Nearly all threat actors and unattributed threat activity clusters use the Standard IcedID variant. Proofpoint considers most of these threat actors to be initial access brokers that facilitate infections leading to ransomware.

Proofpoint continues to see all variants of the IcedID malware in campaign data, so researchers assess with high confidence that the changes detailed below are not direct upgrades to the Standard IcedID codebase. It is likely a cluster of threat actors is using modified variants to pivot the malware away from typical banking trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery. Additionally, based on artifacts observed in the codebase, timing and association with Emotet infections, Proofpoint researchers suspect the initial developers of Emotet have partnered with IcedID operators to expand their activities including using the new Lite variant of IcedID that has different, unique functionality and likely testing it via existing Emotet infections.

The Lite IcedID variant has only been observed following TA542 Emotet infections, but Proofpoint cannot definitively attribute the Lite variant to TA542 as follow-on infections are typically outside of researchers’ visibility. The following are threat actors frequently associated with IcedID.

TA578 – Proofpoint has observed TA578 deliver IcedID in campaigns since June 2020. Typically, this actor uses email themes such as “stolen images” or “copyright violation” to deliver malware. In addition to IcedID, TA578 also frequently conducts campaigns delivering Bumblebee malware. TA578 uses the Standard IcedID variant.

TA551 – Proofpoint has observed TA551 deliver IcedID in campaigns since November 2018. This actor usually uses thread hijacking to typically deliver attached files including Word documents, PDFs, and recently, OneNote documents. TA551 has used multiple malware types, with recent payloads including IcedID, SVCReady, and Ursnif. TA551 uses the Standard IcedID variant.

TA577 – Proofpoint has observed TA577 use IcedID in limited campaigns since February 2021. This actor typically uses thread hijacking to deliver malware, with Qbot being TA577’s preferred payload. However, Proofpoint has observed IcedID delivered by TA577 in six campaigns since 2022. TA577 uses the Standard IcedID variant.

TA544 – Proofpoint observed TA544 use IcedID in limited campaigns throughout 2022. This actor typically targets organizations in Italy and Japan, and typically delivers Ursnif malware. TA544 uses the Standard IcedID variant.

TA581 – TA581 is a newly classified threat actor Proofpoint has tracked as an unattributed activity cluster since mid-2022. This actor typically uses business-relevant themes such as payroll, customer information, invoice, and order receipts to deliver a variety of filetypes or URLs. TA581 typically delivers IcedID, but has been observed using Bumblebee malware and telephone-oriented attack delivery (TOAD) payloads. TA581 uses the Forked IcedID variant.

Campaign Details

Proofpoint has only observed the IcedID Lite Loader variant delivered as a second-stage payload following Emotet infections associated with November 2022 campaigns. Below are examples of the Standard and Forked IcedID variants observed as first-stage payloads.

Example 1: IcedID Standard Campaign

Proofpoint observed a campaign with over 2,800 messages on 10 March 2023. This campaign began with thread hijacked emails which contained HTML attachments. The HTML attachments used HTML Smuggling to drop a password protected, zipped Windows Script File (WSF). The password “747” was displayed in the HTML file. The WSF ran a VBScript which initiated a PowerShell command to download and execute an intermediate script which then downloaded and executed the Standard IcedID Loader using a non-standard export “init”.

image-20230329165602-2Figure 2: Sample email using thread hijacking to deliver an HTML attachment.

 

image-20230329165614-3Figure 3: HTML Attachment spoofing Office 365.

 

image-20230329165628-4
Figure 4: Contents of smuggled ZIP file.

 

image-20230329165643-5
Figure 5: WSF file contents.

 

image-20230329165704-6

Figure 6: Intermediate PowerShell downloader. This pulled the next stage – the Standard IcedID Loader.

 

The IcedID loader connected to the C2 server and delivered and executed the IcedID core bot if specific conditions were met.

Standard IcedID Loader Configuration:

     C2: ariopolanetyoa[.]com

     ProjectID: 3278418257

 

Standard IcedID Bot Configuration:

     C2: alishaskainz[.]com

     C2: akermonixalif[.]com

     CommsCookie: 998075300

     ProjectID: 35

     URI: /news/

 

     Update URLs: [

 

          “hxxps://yelsopotre[.]com/news/,

          ”hxxps://qoipaboni[.]com/news/",

          hxxps://halicopnow[.]com/news/,

          hxxps://oilbookongestate[.]com/news/

     ]

Example 2: IcedID Forked Campaign

Proofpoint observed a campaign with over 13,000 messages on 3 February 2023. This campaign began with invoice-themed email lures requesting confirmation from the recipient to manage a contract. The emails were personalized to the recipient by using the recipient’s name in the greeting of the email. The observed emails contained the subject "How can i contact you?" with an attachment name (regex): "unpaid_[0-9]{4}-February-03\.one".

These messages contained Microsoft OneNote attachments (.one). When opened, the OneNote document instructed the recipient to "open" the document by double-clicking the button displayed in the OneNote document. An HTML Application (HTA) file was concealed beneath the "open" text which, if clicked, executed the HTA file. The HTA file initiated a PowerShell command used to download and execute an IcedID loader. The IcedID loader was executed with rundll32 using a non-standard export: "PluginInit". The PowerShell command also downloaded and opened a decoy PDF.

image-20230329170641-1

Figure 7: Screenshot of email sample from the 3 February IcedID campaign.

 

image-20230329170649-2

Figure 8: OneNote attachment containing the “open” button that hides the HTA file.

 

image-20230329170656-3Figure 9: Screenshot of HTA displayed in a text editor.

 

image-20230329170711-4
Figure 10: Benign PDF that appears while malicious activity is running in the background.

 

The IcedID loader connected to the C2 server and delivered and executed the IcedID core bot if specific conditions were met.

IcedID Loader Configuration:

 

     C2: ehonlionetodo[.]com

     ProjectID: 3954321778

 

IcedID Bot configuration:

     {

         "date": "03-06-2023",

         "family": "IcedID Core",

         "comms_cookie": "01",

         "project_id": 3954321778,

         "uri": "/news/",

         "c2s": [

             "renomesolar[.]com",

             "palasedelareforma[.]com",

             "noosaerty[.]com"

]

 

This campaign is attributed to TA581, a threat actor that Proofpoint has been tracking since 2022, and officially designated a TA number in March 2023.

Example 3: IcedID Forked Campaign

Proofpoint observed a campaign with over 200 messages conducted from 20 February to 23 February 2023. This campaign included two different email lures: 1) a recall notice purporting to be from the National Traffic and Motor Vehicle Safety Act; and 2) a violation purporting to be from the U.S. Food and Drug Administration (FDA). The emails contained .URL attachments. A URL file is a shortcut that points to a specific Uniform Resource Locator. If the recipient clicked to open the .URL file, the recipient's default web browser would access the URL contained in the file. If the .URL file was opened it would initiate the download of a batch (.bat) file. The batch file would download and execute an IcedID loader with rundll32 using a non-standard export: "PluginInit".

motor safety lure

Figure 11: Sample email using the motor vehicle safety lure.

 

motor safety lure 2

Figure 12: Sample email using motor vehicle/seatbelt safety lure.

 

url

Figure 13: URL (.url) attachment displayed in a text editor.

BAT

Figure 14: BAT (.bat) file displayed in a text editor.

 

The IcedID loader connected to the C2 server and delivered and executed the IcedID core bot if specific conditions were met.

IcedID Loader Configuration:

     C2: samoloangu[.]com

     project ID: 3971099397

IcedID Bot Configuration:

     C2: sanoradesert[.]com

     C2: steepenmount[.]com

     C2: guidassembler[.]com

     CommsCookie: 1

     ProjectID: 3971099397

     URI: /news/

     ]

Malware analysis

Before comparing the Standard Loader to the Forked Loader, it is worth covering the highlights of the IcedID Lite Loader as there is code overlap and clear similarities when compared with the Forked Loader. For an in-depth analysis of the Lite Loader, check out Proofpoint’s previous report here. The Lite Loader’s purpose is to download the next stage of the malware from a hardcoded domain and URI path. The domain is decrypted from the configuration and the URI path is decrypted within the function that makes the HTTP request. Unlike the Standard IcedID Loader, there is no host information being exfiltrated within the request. When the Lite Loader was dropped on Emotet infections, that fact made sense, since this version of IcedID was specifically being deployed on already infected machines, and there was no need to check the host information.

image-20230329170831-5
Figure 15: Config decryption within IcedID Lite Loader.

 

image-20230329170839-6
Figure 16: Decryption of the URI within the IcedID Lite Loader.

 

Considering that Proofpoint has not observed a standalone campaign of the Lite Loader in the wild, the remainder of the analysis section will compare the Standard variant to the Forked variant as well as similarities to the Lite Loader.

 

Loader Analysis

Field

Standard Loader

Forked Loader

Internal name

loader_dll_64.dll

Loader.dll

FileType

Standard DLL

COM Server

Extraneous string

 

Contains “1.bin”

Project ID

Project ID differs from loader to bot

Project ID is the same across loader and bot

Rough size

~36KB

~48KB

Botpack decryption

Decryption is the same across both

 

 

As far as behavior is concerned, the Forked Loader functions the same as the Standard Loader. The goal is to send host info to the loader C2, then to gate the bot download. This gating mechanism is to ensure that only truly infected machines get the bot binary vs researchers or malware sandboxes. If the checks are passed, the C2 will return the encrypted bot and DLL loader which is where the real capabilities of the botnet emerge. The differences come within the binary itself by how the code is/was structured and how they obfuscate the sample. Both variants of the loader initiate their malicious code by creating a thread for the malware main. Before this happens though, the Forked Loader decrypts and copies strings into global variables where they will be later used to resolve required functions. This pattern of decrypting strings for future use will come up later in the analysis of the DLL loader.

 

image-20230329171007-7

Figure 17: String decryption of the DLL names used within the Forked Loader.

 

With the DLL strings decrypted, the malware then decrypts the loader configuration by taking the first 64 bytes and XORing it against the next 64 bytes. The first four bytes of the decrypted buffer will contain the project identifier (ID) (a campaign identifier of sorts) and then a singular domain which is used to gate the download of the bot.

image-20230329171023-8
Figure 18: Decryption of the config buffer in the Forked Loader.

For whatever reason, there is an extraneous “1.bin” that is appended to a string which isn’t used. As far as Proofpoint researchers can tell, this string is not used and serves no purpose. With the config decrypted, the malware creates the cookies that contain the host information and sends an HTTP request that will contain the encrypted bot response.

image-20230329171038-9

Figure 19: Raw response from the loader C2 containing the encrypted bot and DLL loader.

The response gets decrypted with the IcedID decryption routine, then split into the encrypted bot (being “license.dat”) and the custom DLL loader which is generally some randomly generated filename ending in .tmp.

DLL Loader Analysis

 

Field

Standard DLL Loader

Forked DLL Loader

Extraneous code

 

Contains code to decrypt strings and domains related to the “lite loader”

File type

Standard DLL

COM Server

Internal name

init_dll_64.dll

Init.dll

Rough size

20KB

36KB

 

The start of the DLL loader is the same across both versions of the DLL loader, a thread is created that contains the malicious code for custom loading license.dat:

 

image-20230329171149-10
Figure 20: Start of the Standard DLL Loader.

 

When comparing the StartAddress function, we see the biggest difference across these two samples:

 

image-20230329171159-11
Figure 21: Standard DLL Loader thread function.

 

The following shows the thread function for the Forked DLL Loader. This function decrypts strings that originally just existed in the Lite Loader.

 

image-20230329171213-12
Figure 22: Forked DLL Loader thread function.

 

The rest of this report section focuses on the Forked DLL Loader, as that is where these differences exist. Just like the Forked Loader, the Forked DLL Loader decrypts the DLL strings to be used later to resolve handles to the DLLs needed. The strings are decrypted in the same algorithm where the data is split into DWORDs and XOR’d against a random key.

 

image-20230329171222-13
Figure 23: String decryption for the DLL names needed for execution.

 

Next, a function is called that decrypts strings that are not used at any point within the binary itself. The function starts by creating a structure that is going to be returned at the end of the function. This structure contains two domains and various URIs that could potentially be used to get a separate version of the bot.

 

image-20230329171231-14
Figure 24: Decryption of “Lite Loader”" domains.

 

For all the Forked DLL Loader variants we have seen, there are two domains that are decrypted: “tourdeworldsport[.]com” and “handsinworld[.]com”. Neither of these domains are used within the file, and at the time of this report have no relations on VirusTotal. Looking into the “handsinworld” domain, passive DNS shows that the domain started resolving to its current IP of “193[.]37[.]69[.]107” on 12 Nov 2022. This is also around the time that Emotet dropped the IcedID Lite Loader onto the Epoch 4 and Epoch 5 botnet. More information on the Lite Loader and Emotet can be found in our previous report here. The other domain “tourdeworldsport”, also started resolving to the IP “5[.]61[.]34[.]46” on 18 Nov 2022.

With the domain names decrypted, the DLL Loader decrypts 10 strings that should be URIs to be appended to the domains.

 

image-20230329171245-15
Figure 25: Decryption of “Lite Loader” filenames.

 

Within this list though, they have typos for botpackn3dat. Most likely there should be a period before .dat. This is the same URI structure (/botpack.dat) that the Lite Loader used to download the bot and DLL loader from the C2 in November 2022 when it was dropped via Emotet infections.

After the strings are decrypted, the structure referencing them is never used again. This is most likely code that has been copy/pasted from the lite loader. If implemented correctly, these strings should appear in the actual loader of IcedID and not within the DLL Loader where it currently resides. These commonalities between the Lite Loader and this DLL Loader make it seem as if the same group that dropped IcedID via Emotet is behind these campaigns as well.

 

Bot Analysis

Field

Standard Bot

Forked Bot

File format

Custom PE Format

Custom PE Format

Rough size

368 KB

304 KB

Removed code

 

Removed web injects capability

Versioning

Currently at version 119

Currently at version 111

 

Looking at the Forked IcedID Bot variant and the Standard Bot variant in BinDiff, researchers observed that the Standard IcedID bot contains more functionality than the Forked variant.

 

image-20230329165812-9Figure 26: Output of BinDiff showing the Standard Bot vs the Forked Bot.

 

Combining Hexray’s Lumina and BinDiff shows that the Standard Bot contains functionality relating to web injects, adversary in the middle (AiTM) and backconnect capabilities that do not exist within the Forked variant. This could be because banking fraud has become increasingly more difficult over the last couple of years.

 

image-20230329165741-8

Figure 27: Functions that have been removed within the Forked Bot.

 

Within the communications of the bot, there is an authentication header which contains the bot’s project ID, some other details and the version of the bot.

     Authorization: Basic OTk4MDc1MzAwOjA6MTE5OjY1OjM1

     998075300:0:119:65:35

Base64 decoding this value gives up the version as the third component of the list. For the Standard IcedID Bot, this value is set to 119 as seen above, but for the Forked variant, we get the following base64 decoded header;

     998075300:0:111:67:1

This value contains version 111, which could indicate the fork happened when the Standard Bot was using that version.

Finally, there seems to be a bug within the Forked variant of the bot where the URIs of specific requests are not constructed properly which causes 404s to occur.


image-20230329165724-7

Figure 28: Network requests made by the Forked Bot.

In the example above, the request should be “/news/4/2/1” but for whatever reason the bot does not append the initial / for specific commands.

Lite Loader Anomaly

After analysis of the separate variants was finished, Proofpoint identified a file called “botpackn1.dat” on VirusTotal that seemed related to our Lite Loader.

 

image-20230329171441-18
Figure 29: VirusTotal page showing the botpack used in the Lite Loader.

 

That filename is embedded within the custom Forked DLL Loader mentioned previously. This relationship was enough to prompt further analysis. In the article where Proofpoint described the IcedID Lite Loader being dropped via Emotet infections, researchers documented the structure of the botpack format and how to decrypt it as well. Taking that same script and applying it to this file leads to a valid configuration where researchers can analyze the configuration.


image-20230329171418-17Figure 30: Commandline output showing the decrypted botpack structure.

 

This botpackn1.dat contains the later stages of the infection chain, so with some pivoting on the VirusTotal relationships, researchers land on the distribution URL (VT Link) “http[:]//lepriconloots[.]com/botpackn1.dat”. Pivoting again to find files that reach to the URL, we come across the Lite Loader sample itself. Looking at the build artifacts of this sample, it seems like the threat actors have removed the PDB path, but the Lite Loader still contains the build name “Loader.dll”. Loader.dll was initially used within IcedID to refer to the Lite Loader back when it was dropped via Emotet infections in November, but that same build name is now being used within the Forked DLL Loader. This could mean the codebase is similar enough where the threat actors can interchange the loader and the DLL Loader, or that these actors are copy/pasting extraneous code.

 

image-20230329171357-16
Figure 31: Embedded build name of the DLL Loader.

 

Finally, pivoting on where this “c2.dll” (IcedID Lite loader) came from, the distribution URL “http[:]//104[.]156[.]149[.]6/webdav/c2.dll” is observed. Similarly, this IP address hosted an IcedID campaign from TA581 that occurred on 21 February 2023. The TA581 campaign ended up loading the DLL “host.dll” from that same directory and led to one of the first campaigns of Proofpoint observing the Forked variant. At the time when this distribution URL was live the IP was hosting an open directory on /webdav/ that contained various bat files, a forked IcedID loader as well as this lite loader.

Conclusion

IcedID is a popular malware typically used by more advanced cyber criminal threat actors, and its use across the threat landscape has remained relatively consistent until recently. Ultimately, there seems to be considerable effort going into the future of IcedID and the malware’s codebase, including the addition of two new variants described in this report. While historically IcedID’s main function was a banking trojan, the removal of banking functionality aligns with the overall landscape shift away from banking malware and an increasing focus on being a loader for follow-on infections, including ransomware.

Proofpoint anticipates that while many threat actors will continue to use the Standard variant, it is likely the new variants will continue to be used to facilitate additional malware attacks.

ET Rules

ET MALWARE Win32/IcedID Request Cookie
ETPRO MALWARE Win32/IcedID Stage2 Checkin
ETPRO MALWARE Win32/IcedID Stage2 CnC Activity
ETPRO MALWARE Win32/IcedID Stage2 CnC Activity M2 (GET)

Indicators of Compromise

Indicator

Type

Description

Date Observed

ehonlionetodo[.]com

C2

IcedID Loader

February 2023

samoloangu[.]com

C2

IcedID Loader

February 20-23, 2023

sanoradesert[.]com

C2

IcedID Bot

February 20-23, 2023

steepenmount[.]com

C2

IcedID Bot

February 20-23, 2023

guidassembler[.]com

C2

IcedID Bot

February 20-23, 2023

renomesolar[.]com

C2

IcedID Bot

February 3, 2023

palasedelareforma[.]com

C2

IcedID Bot

February 3, 2023

noosaerty[.]com

C2

IcedID Bot

February 3, 2023

hxxp[://]helthbrotthersg[.]com/view[.]png

URL

HTA Payload URL

February 3, 2023

hxxp[://]104[.]156[.]149[.]6/webdav/c2[.]dll

URL

Staging URL for Lite Loader

February 22, 2023

hxxp[://]lepriconloots[.]com/botpackn1[.]dat

URL

Staging URL for the IcedID bot

February 22, 2023

hxxp[://]94[.]131[.]11[.]141/webdav/Labels_FDA_toCheck[.]bat

URL

.URL File  Payload URL

February 20-23, 2023

hxxp[://]94[.]131[.]11[.]141/webdav/fda[.]dll

URL

BAT Payload URL

February 20-23, 2023

Recall_2.22.url

filename

.URL Attachment

February 20-23, 2023

feb20_fda_labels-violation.url

filename

.URL Attachment

February 20-23, 2023

dc51b5dff617f4da2457303140ff1225afc096e128e7d89454c3fa9a6883585c

SHA256

.URL Attachment

February 20-23, 2023

7c8b3b8cf2b721568b96f58e5994b8ddb8990cd05001be08631ade7902ae6262

SHA256

Botpackn1.dat

February 22, 2023

fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

SHA256

IcedID Standard Loader

February 3, 2023

03fdf03c8f0a0768940c793496346253b7ccfb7f92028d3281b6fc75c4f1558e

SHA256

HTA

February 3, 2023

9bf40256fb7f0acac020995a3e9a231d54a6b14bb421736734b5815de0d3ba53

SHA256

WSF

March 10, 2023

befeb1ab986fae9a54d4761d072bf50fdbff5c6b1b89b66a6790a3f0bfc4243f

SHA256

DLL

March 10, 2023

hxxp[://]segurda[.]top/dll/loader_p1_dll_64_n1_x64_inf[.]dll53[.]dll

URL

Staging URL for Standard Loader

March 10, 2023

hxxp[://]segurda[.]top/gatef[.]php

URL

PowerShell Payload URL

March 10, 2023

consumption_8581_march-10.html

Filename

HTML Attachment

March 10, 2023