Threat Insight: IcedID Changes Tactics

January 10th, 2023

IcedID (a.k.a. BokBot) is a malware dropper that relies heavily on email-based distribution tradecraft. Since Microsoft blocked macros in office documents from the internet, the group has adapted their methods. In research published by Cybereason, the group has been observed sending emails with a password protected zip archive that contains an ISO file as an attachment. The ISO image contains a LNK file to a DLL. That DLL, when executed, connects to pre-staged domains and downloads IcedID dropper. The malware has been observed dropping Atera agents for persistence. We recommend that MSPs block or quarantine password-protected zip files in email platforms.

-Kaseya Threat Management Team

Security Advisories Archives

All
2023
2022

RSS Feed

To View the RSS Feed of our advisory postings, please input this link into your feed reader.

audIT

Powered Services Pro

BMS

ConnectBooster

Datto Autotask PSA

BMS

Datto Autotask PSA

Vorex

BullPhish ID

Dark Web ID

Datto Autotask PSA

Datto Backup Appliances

Datto Backup for Microsoft Azure

Datto RMM

Datto Secure Edge

IT Glue

Managed SOC

VSA

vPenTest

Datto Backup Appliances

Unitrends Backup Appliances

Datto Backup for Microsoft Azure

Unitrends Backup for Microsoft Azure

Datto Edge Routers

Datto Secure Edge

Datto Switches

Datto WiFi

Datto Endpoint Backup with Disaster Recovery

Datto File Protection

Unitrends Endpoint Backup with Disaster Recovery

Datto RMM

VSA

Traverse

Graphus

IT Glue

MyGlue

Network Glue

Network Detective Pro

vPenTest

Datto Networking and VSA 10: Your Shortcut to Smarter Networks

What Is Allowlisting?

Automating Foundational Cybersecurity with VSA

Security Advisory

Threat Insight: IcedID Changes Tactics