IcedID Malware Adapts and Expands Threat with Updated BackConnect Module

2023-07-28 13:10

The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal.

"For the past several months, BackConnect traffic caused by IcedID was easy to detect because it occurred over TCP port 8080," Palo Alto Networks Unit 42 said in late May 2023.

"However, as early as April 11, 2023, BackConnect activity for IcedID changed to TCP port 443, making it harder to find."

It's also suspected that the same IcedID operator or affiliate is accessing multiple victims within the same time frame, based on the volume of traffic observed between the victims and the servers.

"In examining management infrastructure associated with IcedID BC, we are also able to discern a pattern of multiple distinct accesses from users we assess to be both associated with the day to day operations of IcedID, and their affiliates who interact with victim hosts post-compromise," Team Cymru said.

"The evidence in our NetFlow data suggests that certain IcedID victims are used as proxies in spamming operations, enabled by BC's SOCKS capabilities. This is a potential double blow for victims, not only are they compromised and incurring data / financial loss, but they are also further exploited for the purposes of spreading further IcedID campaigns."

News URL

https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html

#icedid #malware #threat

News URL

Related news