IcedID strengthens its capabilities: new methods of dissemination and attack

The notorious malware loader, IcedID, also known as BokBot, has been updated, specifically its BackConnect (BC) module, used for post-compromise activity on infiltrated systems. Cybersecurity researchers from Team Cymru disclosed this in their latest findings. IcedID, a malware initially developed as a banking Trojan in 2017, has evolved into an initial access facilitator for various payloads, with a recent focus on delivering ransomware.

Netresec’s documentation of BC module and geographic origins

The BC module, first detailed by Netresec in October 2022, functions on an exclusive command-and-control (C2) protocol permitting interaction between a server and the infiltrated host. This protocol includes a VNC component for remote access and is not unique to IcedID, having been found in others such as BazarLoader and QakBot. Team Cymru detected 11 active BC C2s in December 2022, tracing them back to operators seemingly located in Moldova and Ukraine.

Changes in traffic port make IcedID detection more challenging

BackConnect traffic generated by IcedID was previously detectedeasily via the TCP port 8080, but the malware has now shifted its traffic to TCP port 443, a move which makes its detection more challenging, as pointed out by Palo Alto Networks Unit 42. This shift was noted as far back as April 11, 2023. "However, as early as April 11, 2023, BackConnect activity for IcedID changed to TCP port 443, making it harder to find," stated the Unit 42 in late May 2023.

Increased BC C2 servers and IcedID's double blow victims

Soldifying fears about the ever-growing threat of IcedID, an influx in BC C2 servers has been recorded by Team Cymru. The number has increased from 11 to 34 since January 23, 2023. Concurrently, the average life span of a server has deflated substantially from 28 to 8 days. The most concerning observation, however, is that IcedID is likely using some victims as conduits for spamming operations, thanks to the SOCKS capabilities of the BC module. This scenario amplifies the consequences for victims, causing harm not only through data and financial losses but through the additional exploitationof facilitating IcedID's spread.