Threat Insight: IcedID Changes Tactics
IcedID (a.k.a. BokBot) is a malware dropper that relies heavily on email-based distribution tradecraft. Since Microsoft blocked macros in office documents from the internet, the group has adapted their methods. In research published by Cybereason, the group has been observed sending emails with a password protected zip archive that contains an ISO file as an attachment. The ISO image contains a LNK file to a DLL. That DLL, when executed, connects to pre-staged domains and downloads IcedID dropper. The malware has been observed dropping Atera agents for persistence. We recommend that MSPs block or quarantine password-protected zip files in email platforms.
-Kaseya Threat Management Team