Security News > 2021 > April > IcedID Trojan Operators Experimenting With New Delivery Methods
The threat actors behind the IcedID Trojan are experimenting with various delivery methods to increase efficiency, including sending malicious messages from web-based contact forms.
Some of the attacks switched to the abuse of contact forms for the delivery of malicious messages.
Over the past month, researchers with various security firms have observed an increase in malicious activity surrounding IcedID, with most of the attacks leveraging hijacked email conversations to send the payload. While Binary Defense has observed the use of Excel XLS file attachments in such attacks, Trend Micro, security researcher Ali Aqeel, and Microsoft say that the malicious payload in the identified attacks was being delivered as a ZIP archive.
Microsoft, on the other hand, also identified a more unusual delivery method for the malicious file, namely web-based contact forms.
If not properly secured, such forms can be abused in various types of attacks, and IcedID's operators have discovered a novel method of leveraging them.
The archive contains a malicious, heavily obfuscated JavaScript file, which is executed to fetch the IcedID payload, alongside a Cobalt Strike beacon.