The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal.
IcedID, also called BokBot, is a strain of malware similar to Emotet and QakBot that started off as a banking trojan in 2017, before switching to the role of an initial access facilitator for other payloads. Recent versions of the malware have been observed removing functionality related to online banking fraud to prioritize ransomware delivery.
The BackConnect (BC) module, first documented by Netresec in October 2022, relies on a proprietary command-and-control (C2) protocol to exchange commands between a server and the infected host. The protocol, which comes with a VNC component for remote access, has also been identified in other malware such as the now-discontinued BazarLoader and QakBot.
In December 2022, Team Cymru reported the discovery of 11 BC C2s active since July 1, 2022, noting that operators likely located in Moldova and Ukraine are overseeing distinct elements of the BC protocol.
"For the past several months, BackConnect traffic caused by IcedID was easy to detect because it occurred over TCP port 8080," Palo Alto Networks Unit 42 said in late May 2023. "However, as early as April 11, 2023, BackConnect activity for IcedID changed to TCP port 443, making it harder to find."
The latest analysis of the attack infrastructure from Team Cymru has revealed that the number of BC C2s have shot up from 11 to 34 since January 23, 2023, with the average uptime of a server significantly reducing from 28 days to eight days.
"Since April 11, 2023, a total of 20 high confidence BC C2 servers were identified, based on pivots from management infrastructure," the cybersecurity firm said in a report shared with The Hacker News.
"The first observation is that the number of concurrent C2 servers in operation has increased [...], with as many as four C2 servers receiving management communications on a particular day."
A further examination of the traffic originating from BC C2 servers has uncovered as many as eight candidate victims between late April 2023 and June 2023 that "communicated with three or more BC C2s over a relatively long period of time."
It's also suspected that the same IcedID operator or affiliate is accessing multiple victims within the same time frame, based on the volume of traffic observed between the victims and the servers.
"It would appear BC is deployed alongside the usual IcedID loader and bot infections," Josh Hopkins, head of S2 Threat Analyst Unit at Team Cymru, told The Hacker News, adding "we see no clear distinction in infrastructure in how it's accessed by victims and threat actors."
The cybersecurity firm also told the publication that two of the IcedID forks that emerged in the wild in February 2023 sans the banking fraud and BackConnect modules have not been detected in the wild recently, suggesting that they could have been short-lived experiments.
"In examining management infrastructure associated with IcedID BC, we are also able to discern a pattern of multiple distinct accesses from users we assess to be both associated with the day to day operations of IcedID, and their affiliates who interact with victim hosts post-compromise," Team Cymru said.
"The evidence in our NetFlow data suggests that certain IcedID victims are used as proxies in spamming operations, enabled by BC's SOCKS capabilities. This is a potential double blow for victims, not only are they compromised and incurring data / financial loss, but they are also further exploited for the purposes of spreading further IcedID campaigns."