New versions of the IcedID malware have been discovered in the wild, however security experts haven’t quite figured out their purpose yet.

Originally, IcedID was a Trojan that threat actors used to steal banking credentials from unsuspecting victims. Since February, two variants of the banking Trojan have been spotted – one called “Lite” and one called “Forked”.

Both of the newly discovered versions of IcedID do not have the bank fraud features that its predecessor possessed. Instead, the new versions are poised to deploy a much more elaborate campaign.

Cybersecurity researchers from Proofpoint confirm that since late 2022, “Lite” and “Forked” have been used across seven different campaigns that were run by at least three different hacking groups. The groups using the new versions of IcedID are said to have been using the original as a stepping stone toward ransomware infections.

It is not clear why attackers decided strip down the new versions of the malware to remove the features that made it unique, but researchers theorize it may be because doing so allows bad actors to stay hidden for longer periods of time.

IcedID is delivered in two ways – either through a phishing emails with a Microsoft OneNote attachment, or in other cases, through Emotet.

Researchers also noted that just because there are two new variants of the original, doesn’t mean that IcedID isn’t being used. They also note that even though the variants may grow in popularity throughout this year, the original is still the one being used most often.

Story via TechRadar