Proofpoint researchers have observed and documented three variants of the IcedID malware variant, according to the company.
The Standard IcedID variant is banking malware that was discovered in 2017, Proofpoint noted. It consists of an initial loader that contacts a Loader command-and-control (C2) server and downloads a standard DLL loader that delivers the standard IcedID bot.
In November 2022, Proofpoint researchers found the first variant of IcedID, dubbed "Lite." This variant was distributed as a follow-on payload in a TA542 Emotet malware campaign, Proofpoint stated.
Proofpoint researchers identified the second variant of IcedID, "Forked," in February 2023. They have discovered seven campaigns using the Forked IcedID variant, which has used various email attachments to date.
Cybercriminals Have Launched Hundreds of IcedID Campaigns
Proofpoint has discovered hundreds of IcedID campaigns in 2022 and 2023, the company stated. These campaigns involve at least five threat actors that distribute the malware.
Many of the threat actors involved in IcedID campaigns have used the Standard IcedID variant, Proofpoint indicated. In addition, most of these threat actors appear to be initial access brokers that facilitate ransomware attacks.
What the Future Holds for IcedID
Cybercriminals are dedicating "considerable effort" to IcedID and the malware's codebase, Proofpoint said. Although IcedID was once used primarily as a banking trojan, cybercriminals are more prone than ever before to remove the malware's banking functionality. In doing so, cybercriminals are shifting away from using IcedID s banking malware and exploring new opportunities to use it as a loader for ransomware and other malicious infections.
Meanwhile, Proofpoint anticipates that many threat actors will continue to use the Standard IcedID variant. At the same time, it is likely the Lite and Forked IcedID variants will continue to be used in malware attacks.