Technical analysis by the Malware Hunter JAMESW

The IcedID campaign against Italy is evolving. The email zip attachment is now password protected and conveys a doc (previously it was) an xlsm. In addition, each file contacts different URLs to download the dll that starts the malware infection

The cybercrime campaign to convey IcedID in Italy is evolving. The bait is always a real stolen email conversation, as in previous attacks, with a zip document attached. The file, however, is password protected (provided in the text) and the message changes (at the moment three different ones have been detected).

Furthermore, the compressed document contains a doc instead of an xlsm.

This, if opened, contacts a single link (different for each file) to download the dll that starts the malware infection.

Moreover, each dll has a different C2. The evolution of the campaign, in all probability, is a sign that cybercrime wants to continue spreading IcedID in our country. Malware (aka BokBot) is a modular banking Trojan used to steal information and credentials from bank accounts, e-commerce sites, providers and financial data.

Malware C2s