Security Brief: TA571 Delivers IcedID Forked Loader

Cyber Security Threat Summary:
In a recent blog post, cybersecurity firm Proofpoint disclosed that it observed two campaigns on October 11 and 18, 2023, in which TA571, a sophisticated cybercriminal threat actor, delivered the Forked variant of IceID. The forked variant was observed being delivered via emails containing 404 TDS URLs that would lead to the download of a password-protected archive, with the password listed in the email. “The zip file contained a VBS script and a benign text file. The VBS script, if double-clicked by the user, ran an embedded IcedID Forked loader with regsvr32. The loader in turn downloaded the IcedID bot,” noted researchers at Proofpoint. In these two campaigns, more than 6,000 emails were sent, impacting over 1,200 customers from various sectors globally.

Security Officer Comments:
The use of a traffic distribution system (TDS) is not new. Since September 2022, Proofpoint has observed TA571 and a handle full of other threat actors using 404 TDS to deliver malware strains including AsyncRAT, NetSupport, and DarkGate. Using this system makes it easier for actors to redirect users to malware downloads or even phishing sites, designed to harvest credentials. In particular, Proofpoint notes that TA571 employs a unique filtering system using intermediary “gates” for traffic to pass through. These gates are designed to filter traffic based on IP and geo-fencing, enabling the actors to narrow down their targeting.

Suggested Correction(s):
TA571 is known for sending a high volume of spam email campaigns. Training employees on how to detect and avoid clicking on malicious links or attachments in emails from unknown senders can be crucial in preventing potential infections.