Following the takedown of Emotet, a hole was left in the malspam-as-a-service cybercrime ecosystem. IcedID, a well-known banking trojan used by multiple distinct threat groups, now seems primed to fill that hole after stepping up the volume of distribution using its variety of affiliates, as originally reported by TheRecord. Using a variety of lures/distribution tactics including:
- Excel 4.0 XLM sheets
- Password-protected zip files to bypass email filters
- Public contact forms to send email and trick corporate employees into installing malware
- Unauthorized modifications of the Zoom video-conferencing app that include malware
Binary Defense has been tracking one of the main IcedID distributors, a distribution affiliate known as “TR”. This actor makes use of docusign XLM sheets to install malware. Victims are instructed to enable macros to access the document. Binary Defense recommends taking great care when opening documents that originated either as an email attachment or as a link in an email. Applying Attack Surface Reduction (ASR) rules from Microsoft to prevent Office documents from spawning malicious processes is an excellent mitigation against compromise. Additionally, Binary Defense recommends deploying a 24/7 SOC solution such as Binary Defense’s own Security Operations Task Force.