Check Point researchers published the traditional Global Threat Impact Index for March 2021 and it turned out that this month the IcedID malware (aka Bokbot) entered the ranking of the most active threats for the first time, and immediately took second place in it.
The first place in March went to the Dridex Trojan, while in February it was only on the seventh line of the top.
In the past month, IcedID, which first appeared in 2017, was actively spreading through several spam campaigns, affecting about 11% of organizations worldwide. One of the largest campaigns used the COVID-19 theme to draw victims’ attention to the lures of hackers. Most of the malicious attachments in this campaign were Microsoft Word documents with malicious macros.
After installation this Trojan makes an attempt to steal account information, payment information, and other sensitive information from victims’ devices. IcedID can also spread by other malware and used at the initial stage of an attack during operations with ransomware.
“IcedID has been around for several years. Recently, it has become actively exploited, showing that cybercriminals continue to adapt their methods for increasingly successful attacks. And they still use the COVID-19 theme. IcedID is a very dangerous Trojan. It uses several methods to successfully steal data”, — Check Point representatives commented.
According to Check Point, the list of the most active malware in the world is the following:
- Dridex is a banking Trojan that infects the Windows operating system. Dridex spreads using spam mailings and sets of exploits that use web injections to intercept personal data, as well as bank card data of users. In March, it attacked 16% of organizations around the world.
- IcedID is a banking Trojan that spreads through malicious spam campaigns. To steal financial data, it is embedded in browser processes to display fake content instead of original pages. It uses methods of obfuscation and encryption of its own code in order to make detection and analysis difficult. Attacked 11% of companies.
- Lokibot is an info-stealer that spreads mainly through phishing emails. It was used to steal various data: email credentials, passwords to CryptoCoin wallets and FTP servers. Attacked 9% of companies.
Information security analysts attribute the success of IcedID to the elimination of the Emotet botnet in January 2021. After its death, criminals switched to Dridex, Trickbot and Qakbot, but now IcedID is gaining popularity as well. For example, according to researchers from Binary Defense, “several hack groups use IcedID as a dropper at once.” Microsoft experts also warned about activity of the IcedID malware this week.
Let me remind you that I talked about the fact that 94% of the TrickBot malware infrastructure is shut down, but it is still active.