Tag Archive for: Loader
Researchers warn of two new variants of potent IcedID malware loader
Security researchers have seen attack campaigns using two new variants of IcedID, a banking Trojan program that has been used to deliver ransomware in recent years. The two new variants, one of which appears to be connected to the Emotet botnet, are lighter compared to the standard one because certain functionality has been stripped.
“It is likely a cluster of threat actors is using modified variants to pivot the malware away from typical banking Trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery,” researchers from Proofpoint said in a new report. “Additionally, based on artifacts observed in the codebase, timing, and association with Emotet infections, Proofpoint researchers suspect the initial developers of Emotet have partnered with IcedID operators to expand their activities including using the new Lite variant of IcedID that has different, unique functionality and likely testing it via existing Emotet infections.”
IcedID is favored by initial access brokers
IcedID first appeared in 2017 and at origin was a Trojan designed to steal online banking credentials by injecting rogue content into local browsing sessions — an attack known as webinject. From 2017 until last year, the Trojan’s codebase remained largely unchanged. However, some attacker groups started using it in recent years for its ability to serve as a loader for additional malware payloads than for its bank fraud capabilities.
During 2022 and 2023, Proofpoint has seen hundreds of attack campaigns using the IcedID Trojan and managed to link them to five distinct threat actors, most of which operate as initial access brokers, meaning they sell access into corporate networks to other cybercriminals, usually ransomware gangs.
A group that Proofpoint tracks as TA578 has been using IcedID since June 2020. Its email-based malware distribution campaigns typically use lures such as “stolen images” or “copyright violations”. The group uses what Proofpoint considers to be the standard variant of IcedID, but has also been seen delivering Bumblebee, another malware loader favored by initial access brokers.
Another group that uses the…
Bumblebee malware loader emerges • The Register
A sophisticated malware loader dubbed Bumblebee is being used by at least three cybercriminal groups that have links to ransomware gangs, according to cybersecurity researchers.
Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol. The emergence of Bumblebee coincides with the swift disappearance of BazarLoader in recent weeks, according to researchers with security firm Proofpoint.
The researchers note that BazarLoader’s disappearance occurred about the same time a Ukrainian researcher with access to Conti’s operations – and apparently angry with Kremlin-linked Conti’s public support for Russia’s invasion of Ukraine – started leaking information from the organization, including its ties with BazarLoader.
In February, Conti reportedly took over the operation of the TrickBot botnet gang that developed BazarLoader. Researchers with both Proofpoint and Cybereason found code similarities between Bumblebee and TrickBot’s malware.
Bumblebee, like BazarLoader, likely is used to gain initial access to vulnerable systems and networks. The bad actors then sell that access to other cybercriminals who deliver their malicious payloads into the compromised environments.
Google’s Threat Analysis Group (TAG) wrote in March about a threat group called Exotic Lily. The ad giant’s infosec researchers said Exotic Lily has links to Conti and Diavol, and used Bumblebee to launch large-scale phishing campaigns to gain initial access.
This week Proofpoint and Cybereason observed that, while there are strong overlaps with TrickBot’s code, Bumblebee has unique features and stronger anti-detection tools.
“From a threat research perspective, what makes this malware interesting is the fact that it was associated with the Conti ransomware group as one of the group’s…
SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader
The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.
The hackers used Raindrop to deliver a Cobalt Strike beacon to select victims that were of interest and which had already been compromised through the trojanized SolarWinds Orion update.
There are currently four pieces of malware identified in the SolarWinds cyberattack, believed to be the work of a Russian threat actor:
- Sunspot, the initial malware used to inject backdoors into the Orion platform builds
- Sunburst (Solorigate), the malware planted in Orion updates distributed to thousands of SolarWinds customers
- Teardrop post-exploitation tool delivered by Sunburst on select victims deploy customized Cobalt Strike beacons
- Raindrop, the newly uncovered malware that is similar to Teardrop
Disguised as 7-Zip file to load Cobalt Strike
Symantec researchers found the new Raindrop malware on machines compromised through the SolarWinds cyberattack. They noticed that it fulfills the same function as Teardrop but it is different as far as the deployment mechanism is concerned, as well as at the code level..
To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file. The 7-Zip code only acts as a cover as it is not used in any way.
In one victim that installed the trojanized Orion platform in early July 2020, Symantec found that teardrop came the very next day via Sunburst. Raindrop appeared 11 days later on another host in the organization where malicious activity had not been observed, the researchers say.
How Raindrop ended up on a victim network is a mystery for now. Symantec saw no evidence of Sunburst delivering Raindrop directly, yet it was present “elsewhere on networks where at least one computer has already been compromised by Sunburst.”
On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed in an attempt to spread the malware on other systems. Cybersecurity company Volexity investigating SolarWinds cyberattacks also reported that the hackers…