Security Brief: TA571 Delivers IcedID Forked Loader

What happened 

Proofpoint researchers identified TA571 delivering the Forked variant of IcedID in two campaigns on 11 and 18 October 2023. Both campaigns included over 6,000 messages, each impacting over 1,200 customers in a variety of industries globally.  

Emails in the campaigns purported to be replies to existing threads. This is known as thread hijacking. The emails contained 404 TDS URLs linking to the download of a password-protected zip archive with the password listed in the email. The attack chain included a series of checks to validate the recipient before delivering the zip archive. 

TA571 lure used in an IcedID campaign on 11 October 2023.  

The zip file contained a VBS script and a benign text file. The VBS script, if double clicked by the user, ran an embedded IcedID Forked loader with regsvr32. The loader in turn downloaded the IcedID bot.  

The use of the Forked IcedID variant is unusual, as it has only been observed in a small number of campaigns. Proofpoint first identified this variant in February 2023. A key difference between the original IcedID variant and the Forked variant was the removal of banking functionality. At the time, Proofpoint assessed actors were using the modified variants to pivot the malware away from typical banking trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery. 

TA571 regularly uses 404 TDS in campaigns to deliver malware, including AsyncRAT, NetSupport, and DarkGate. Proofpoint researchers have been tracking 404 TDS since at least September of 2022, and it is used by a number of threat actors. A traffic distribution system (TDS) is an application used to route web traffic through operator-controlled servers. They can be used by threat actors to redirect traffic to malware downloads and use IP filtering to determine whether to deliver a payload or redirect to a credential harvesting website. Proofpoint assesses 404 TDS is likely shared or sold to other actors due to its involvement in a variety of unrelated phishing and malware campaigns.  

Attribution 

TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety malware for their cybercriminal customers, depending on the subsequent operator’s objectives. Proofpoint assesses with high confidence that TA571 infections can lead to ransomware.  

Why it matters 

TA571’s delivery of the Forked IcedID variant is unique as Proofpoint does not often observe it in threat data. Additionally, Proofpoint considers TA571 to be a sophisticated cybercriminal threat actor. Its attack chain includes unique filtering using intermediary “gates” for traffic to pass through. These gates, which are intermediary URLs, will filter traffic based on IP and geo-fencing. TA571 may have as many as two gates per campaign. This is to ensure only specifically targeted users receive the malware, and to bypass automated sandboxing or researcher activity. 

Emerging Threats signatures 

2853110 - ETPRO EXPLOIT_KIT 404 TDS Redirect 

2032086 - ET TROJAN Win32/IcedID Request Cookie 

2847335 - ETPRO TROJAN Win32/IcedID Stage2 Checkin 

2032086 - ET TROJAN Win32/IcedID Request Cookie 

Indicators of compromise