Updated BackConnect Module in IcedID Malware Expands Threat

The BackConnect (BC) module, which is utilized for post-compromise behavior on compromised computers, has been updated by threat actors connected to the malware loader known as IcedID, according to recent research from Team Cymru.

In 2017, IcedID, also known as BokBot, a malware strain resembling Emotet and QakBot, began as a banking trojan before transitioning to the function of an initial access facilitator for additional payloads. In order to prioritize ransomware transmission, recent versions of the malware have been seen to remove capabilities related to online banking fraud.

The proprietary command-and-control (C2) protocol is used by the BackConnect (BC) module, which was first described by Netresec in October 2022, to transmit commands from a server to an infected host. Other malware, like the now-discontinued BazarLoader and QakBot, have also been found to use the protocol, which includes a VNC component for remote access.

Team Cymru reported the finding of 11 BC C2s operating since July 1, 2022, in December 2022. They noted that operators likely based in Ukraine and Moldova are in charge of different parts of the BC protocol.

In late May 2023, Palo Alto Networks Unit 42 stated that "BackConnect traffic caused by IcedID was simple to detect for the past few months because it occurred over TCP port 8080." But starting on April 11, 2023, IcedID's BackConnect activity will use TCP port 443, making it more difficult to discover.

The number of BC C2s has increased dramatically since January 23, 2023, from 11 to 34, according to Team Cymru's most recent examination of the assault infrastructure. At the same time, the average uptime of a server has sharply decreased from 28 days to eight days.

The cybersecurity company stated in a report provided with The Hacker News that "a total of 20 high confidence BC C2 servers were identified, based on pivots from management infrastructure," since April 11, 2023.

The first finding is that there are now more concurrent C2 servers running, with up to four C2 servers receiving management communications on any one day.

Up to eight possible victims were discovered between late April 2023 and June 2023 who "communicated with three or more BC C2s over a relatively long period of time," according to a further analysis of the data coming from BC C2 servers.

UPCOMING WEBINAR Master SaaS Security Posture Management to Protect Against Insider Threats

Concerned about threats from within? We have your back! Join this webinar to learn about SaaS Security Posture Management's practical tactics and the secrets of proactive security.

Attendance is Free

Based on the volume of traffic seen between the victims and the servers, it is also possible that the same IcedID operator or affiliate is accessing numerous victims at once.

Team Cymru stated that they were able to identify a pattern of multiple distinct accesses from users they believed to be both involved in the day-to-day operations of IcedID and their affiliates who interact with victim hosts after a compromise.

"Our NetFlow data provides evidence that some IcedID victims are employed as proxies in spamming campaigns, which is made possible by BC's SOCKS capabilities. The victims may suffer a double blow because they are potentially exploited for the purpose of spreading other IcedID campaigns in addition to being penetrated and losing data and money.