TA571 Hacker Group Deliver IcedID Malware Via Password-protected Zip Archive

Hackers often use password-protected Zip Archive files for malware distribution to evade detection by security software. 

They let the malware infiltrate the target system without detection by encrypting the file, which makes it more difficult for antivirus software to examine its contents.

On October 11 and 18, 2023, cybersecurity researchers at Proofpoint discovered two malicious campaigns in which TA571 spread the Forked IcedID variant.

More than 1,200 clients globally in a variety of sectors were impacted by the more than 6,000 messages that these two campaigns sent out.

The security experts at Proofpoint are quite confident in the ransomware danger posed by TA571 infections since this threat group is a well-known spam distributor that sends emails with malware.

Technical analysis

The campaigns used thread hijacking in emails with 404 TDS URLs. These links led to password-protected zip archives, with the password provided in the email. 

However, besides this, the recipient was verified in multiple checks before delivering the archive.

TA571 lure IcedID campaign
TA571 lure used in an IcedID campaign on 11 October 2023 (Source – Proofpoint)

The zip had a VBS script running an IcedID Forked loader. When double-clicked, it leads to an IcedID bot download. Apart from this, there are only a few campaigns where the Forked IcedID is seen.

In February 2023, cybersecurity analysts at Proofpoint discovered this variant. It removed banking functions, shifting focus from banking fraud to payload delivery, possibly favoring ransomware delivery.

For malware delivery, the threat group TA571 often employs 404 TDS, and since Sep 2022, researchers have been tracking 404 TDS.

In these campaigns, it’s been detected that threat actors delivered the following malware:-

TDS routes web traffic through operator servers, exploited for malware and phishing. 404 TDS possibly shared/sold to various actors, linked to diverse campaigns by Proofpoint.

The security experts at Proofpoint are quite confident in the ransomware danger posed by TA571 infections since this threat group is a well-known spam distributor that sends emails with malware.

Delivery of the Forked IcedID variant by TA571 is unusual, and that’s why Proofpoint sees TA571 as a sophisticated actor using intermediary “gates” for precise targeting, evading sandboxes.

Indicators of compromise

IOCs (Source - Proofpoint)
IOCs (Source – Proofpoint)

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.