IcedID Malware Adapts and Expands Threat with Updated BackConnect Module
Jul 28, 2023
Malware / Cyber Threat
The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. IcedID, also called BokBot , is a strain of malware similar to Emotet and QakBot that started off as a banking trojan in 2017, before switching to the role of an initial access facilitator for other payloads. Recent versions of the malware have been observed removing functionality related to online banking fraud to prioritize ransomware delivery. The BackConnect (BC) module, first documented by Netresec in October 2022, relies on a proprietary command-and-control (C2) protocol to exchange commands between a server and the infected host. The protocol, which comes with a VNC component for remote access, has also been identified in other malware such as the now-discontinued BazarLoader and QakBot. In December 2022, Team Cymru reported the discovery of 11 BC C2s a