QBot Malware Replaces IcedID in Malspam Campaigns

QBot Malware Replaces IcedID in Malspam Campaigns

QBot malware is making a comeback replacing IcedID in Malspam campaigns. Security researchers have noticed that malware distributors are once again rotating the payload, switching between Trojans which is an intermediary stage in a long transition chain. In one case, Tango appears to be with QBot and IcedID, two banking Trojans that are often seen delivering various ransomware strains as the final payload in an attack.

In February, IcedID was a new malware coming from URLs that served QBot. Brad Duncan of Palo Alto Networks spotted the changes and noted in his analysis at the time: “HTTPS URL ends with /ds/2202.gif, generated by Excel macro, which would normally distribute cacobet, but today it delivered IcedID”. 

James Quinn, a threat researcher at Binary Defense also makes the same observation in a blog post in March, as the company unearthed a new IcedID/BokBot variant while tracking a malicious spam campaign from a QakBot distributor.

IcedID was first discovered as a banking trojan in 2017 and soon adjusted its functionality for malware delivery. It has been seen in the past distributing Ransom eXX, Labyrinth, and Aggregor Ransomware. After a gap of about a month and a half, the malware distributor switched the payload back to QBot (aka QakBot), which has been seen in the past delivering ProLock, Egregor, and DoppelPaymer ransomware. 

Malware Researcher and Reverse Engineer reecDeep was the one that noticed the specific switch on Monday, concluding the fact that campaign update relies on XLM macros. Analysis from both binary defense and Brad Duncan on the switch of a malware distributor to deliver IcedID in February 2021 has seen the sa ..