A new variant of the IcedID online banking Trojan is spreading rapidly, with detections peaking at 100 per day, according to Kaspersky researchers. As of March 2021, its transmission power is most significant in regions such as Germany (8.58%), Italy (10.73%), India (11.59%) and the United States (10.73%). Compared to the older Trojan, the new variant utilizes a modified English-language downloader that contains the malware in a compressed ZIP format.

As for the infection process of IcedID, it is mainly divided into two parts: the downloader and the ontology. The former sends user information to the server for use by the malware ontology. After mapping itself into memory, the latter infiltrates the malware further into the victim’s system.

In addition, the Trojan can launch other malicious actions, such as web injections that allow threat actors to bypass two-factor authentication (2FA) or run malicious dynamic-link libraries (DLLs). Both of these methods allow the download and execution of other malicious modules that infiltrate the system.

Geographical distribution of IcedID attacks

This includes downloading components such as email collectors, web injection modules, password grabbers, and hVNC remote control modules to perform web injection, traffic interception, system takeover, and password stealing.

As for the difference between QBot and IcedID, mainly the new variant became able to take advantage of the x86-64 CPU architecture, the fake configuration was removed from the server side, and the core was slightly changed as the author decided not to swap the shellcode to include some loader data regular PE files.

Geographical distribution of QBot attacks