Spam Downpour Drips New IcedID Banking Trojan Variant

Researchers have seen a new variant of the IcedID banking trojan sliding in via two new spam campaigns. Written in English and carrying ZIP files full of the malware – or links to such ZIP files – the new twist on the old banking trojan is a tweaked downloader, which the threat actors moved from the initial x86 version to the latest: an x86-64 version. They also ditched the fake command-and-control (C2s, aka C&Cs) that were found in the earlier configuration and which were likely there to complicate malware analysis, researchers said. In an advisory posted on Thursday, Kaspersky researchers said that they spied the new spam campaigns – both of which were designed to deliver banking trojans – in mid-March. Most of the payloads the researchers collected were IcedID (Trojan-Banker.Win32.IcedID), but they also came across a few samples of the Qbot banking trojan (Backdoor.Win32.Qbot, aka QakBot). The primarily IcedID-flavored campaigns were coming in at a fever pitch: Campaign spikes hit more than 100 detections a day. That’s in keeping with another widespread IcedID email campaign that pelleted targets in April, when rigged Microsoft Excel attachments and Excel 4 macros were dumping IcedID at high volumes. At the time, it looked like the IcedID trojan was stepping in to fill the void left by Emotet after the malware got slapped offline in January. IcedID (aka BokBot) is similar to Emotet in that it’s a modular malware that started life as a banking trojan, initially used to…