ICEDID Malicious Bootloader Profile Change

Proofpoint experts have discovered new options for the malicious ICEDID software, which do not have the characteristic functions of online banking fraud. Instead, attackers focus on the installation of additional malware on compromised systems. This follows reports that new ICEDID variants have been used since the end of last year by three independent groups of attackers in seven different campaigns, primarily aimed at delivering payload.

Proofpoint researchers identified two new ICEDID bootloaders – “Litebootrs” and “Forked”. Both bootloaders differ from the old ICEDID versions in terms of functionality and their way of delivering payload. The removal of unnecessary functions in ICEDID makes it more inconspicuous and compact, which can help attackers avoid detection.

In November 2022, the Lite version of the ICEDID bootloader was supplied as a payload of the second stage after an infected device by other malicious software, Emotet. The Forked version of the loader first appeared in February 2023 and spread directly after thousands of personalized phishing emails with fake tax documents. In these attacks, investments with the extension “.On” were used to perform a malicious file “.hta”, which launched PowerShell.

At the end of February, Proofpoint researchers noted a low-scale ICEDID “FORKED” distribution through fake postal notifications from the American departments of NHTSA and FDA. While some attackers use new ICEDID bootloaders, others still prefer to use the standard option. The “Forked” ICEDID loader is similar to the standard version but uses another type of file, with an additional domain and a string decryption code that makes a useful load of 12 KB more than in the standard version. The LITE bootloader is easier to 20 KB and does not transmit information about the host to the C2 server, usually taken together with Emotet, which profits the hacked system.

/Reports, release notes, official announcements.