Security News > 2021 > April > Attackers deliver legal threats, IcedID malware via contact forms
Threat actors are using legitimate corporate contact forms to send phishing emails that threaten enterprise targets with lawsuits and attempt to infect them with the IcedID info-stealing malware.
IcedID is a modular banking trojan first spotted in 2017 and updated to also deploy second-stage malware payloads, including Trickbot, Qakbot, and Ryuk ransomware.
Microsoft threat intelligence analysts Emily Hacker and Justin Carroll observed "An influx of contact form emails targeted at enterprises by means of abusing companies' contact forms."
To further increase their attacks' efficiency, the threat actors threaten their targets with legal action for copyright infringements to pressure them into clicking embedded links directing them to IcedID payloads.
The recipients are told to click on an embedded link to review the attackers' "Evidence" but are instead redirected to a Google Sites-hosted website used to deliver the IcedID malware.
Cisco Talos researchers discovered a similar campaign in September 2020 using legitimate contact forms to send phishing emails to distribute various malware payloads, including Gozi ISFB, ZLoader, SmokeLoader, and AveMaria.