Cybercriminals are constantly coming up with new ways to infiltrate databases in order to maximise the return on the investment they make in these attacks.

Even so, campaigns involving the use of spam and phishing emails remain the most witnessed attack vectors for spreading delivering malware. However, a new method has been identified recently in a campaign conducted by the threat group managing the IcedID banking Trojan cum malware downloader. This new method involves hijacking contact forms on company web pages. Contact forms are a feature of the vast majority of websites and are used to gather information on website visitors for follow up contacts. More often than not these forms  have CAPTCHA security measures to safeguard the form from malicious campaigns.

Despite this those responsible for the IcedID banking Trojan have discovered a workaround to avoid the CATCHA security measures and, due to this, have been able to implement contact forms to deliver malicious emails. The emails the the contact forms transmit are normally sent to to inboxes that have whitelisted their email address. This means that that avoid email security gateways.

In the IceID campaign, the contact forms are being implemented to share messages claiming the recipient is going to be subjected to a legal action in relation to a copyright violation. The messages submitted claim the company has incorporated images on its web page, added without the image owner’s explicit authorization. The recipient is informed that a legal action will commence message if the images are not immediately removed from the website at once. It also provides a hyperlink to a Google Site that lists details of the copyrighted images and proof they are the intellectual property of the sender of the message.

If the hyperlink is visited to review the supplied evidence then the browser will install a zip file containing an obfuscated .js downloader that will send the IcedID payload. Once IcedID is placed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.

IcedID distribution has been on the rise recently, not only via this attack vector but also in phishing campaigns. A large-scale phishing drive has been discovered that employs a range of business-themed lures in phishing campaigns with Excel attachments that have Excel 4 macros that transmit the banking Trojan.

The surge in IcedID malware distribution is thought to be just one element of a campaign to infect large numbers of devices to evolve a botnet that can be rented out to other cybercriminal collectives under the malware-as-a-service model. Now that the Emotet botnet has been deactivated there is a gap in the market for something like this and IcedID seems to be trying to take advantage of this.

If you would like to discover how you can safeguard your company from IceID and other malware attacks, at a reasonable price, contact the TitanHQ as soon as you can to see how TitanHQ email and web security measures are give 5-star recommendations from users for security, cost, simplicity, and customer service and support.