A massive malspam campaign is underway distributing the IcedID banking Trojan. The malicious emails have Microsoft Excel attachments, which use Excel 4 macros to deliver the banking Trojan.
IcedID is a modular malware that started life as a Trojan that steals financial information from victims. Like several other banking Trojans, it has since evolved into a malware dropper and is now primarily being used to distribute secondary malware and ransomware payloads.
The disruption to the Emotet botnet has created a gap in the market and it appears that IcedID is filling the void. The Emotet botnet was disrupted in January 2021, until which point it was being distributed in spam email campaigns involving between 100k to 500K emails a day. While Emotet is a banking Trojan, it was primarily used as a first stage malware loader, with the huge network of Emotet-infected devices rented out to other cybercriminal operations under the malware-as-a-service (MaaS) model. Emotet has been used for downloading secondary malware payloads such as Qakbot, TrickBot, and Ryuk ransomware.
Following the takedown of Emotet infrastructure, the malware was removed from around 1 million infected endpoints worldwide. There was a similar takedown of the TrickBot botnet prior to the 2020 U.S. presidential election, which was also used as a malware loader. In the case of TrickBot, the threat group rebuilt its infrastructure, but it appears that Emotet remains out of action.
The takedown of such a large malware distribution operation as Emotet naturally leaves a large gap in the market, and IcedID could well be attempting to become the new Emotet and the MaaS of choice for cybercriminal gangs.
The IcedID malspam campaigns have been tracked by security researchers at Uptycs, who identified more than 15,000 HTTP requests from over 4,000 malicious files, 93% of which were Excel spreadsheets with .xls or .xlsm attachments. The emails used subjects that would likely attract a click from business users, with the attached files having names such as claim, compliant, overdue, inform, calculation, and compensation claim, followed by a randomly generated string of numbers. Opening the spreadsheets would generate a prompt asking users to enable content to view the contents of the files. Doing so would allow the macros to run.
The macros were used to download a malicious payload from a URL in the spreadsheet, which was often a legitimate but compromised website. Multiple methods have been used to hide the macro formulas in the attached documents, such as splitting the macro across various cells and worksheets, using white text on a white background, or shrinking the contents of cells to render the content invisible. The macros download executable DLL files, which are run using rundll32 DllName, DllRegisterServer.
The Uptycs researchers suggest deploying a multi-layered and real-time detection solution, monitoring systems for suspicious processes and events, exercising caution when opening any documents or spreadsheets distributed via email, and keeping software and operating systems fully up to date and patched.
Another method of distributing IcedID was recently detected by the Microsoft 365 Defender Threat Intelligence Team. Contact forms on websites are being abused to send emails containing links to websites where IcedID is downloaded. The threat actors have managed to bypass CAPTCHA controls to send large volumes of messages to enterprises, which since they have come from the enterprise website, are bypassing email security gateways.
One of the themes of the emails is a message from a certified photographer which claims that the organization has stolen photographs hosted on their website which is in violation of copyright laws. The emails threatening legal action and include a hyperlink which the recipient is told to click to view evidence of the copyright fraud. The link is for a Google sites URL which is used to download IcedID.