Researchers have discovered that Malspam campaigns using QBot are replacing IcedID with QBot malware.
Malware distributors have noticed that they are once again rotating payloads, switching between Trojans, an intermediary stage in a long transition chain.
In one case, Tango was associated with both QBot and IcedID, two banking Trojans both commonly used as the final payload of ransomware strains in attacks.
One of the first people to realize the switch was made on Monday was Malware Researcher and Reverse Engineer reecDeep, who concluded that campaign update relies on XLM macros.
A spike in malware distribution starting in February 2021 has been detected both through binary defense and Brad Duncan’s analysis.
Recent research by security researchers at the threatening intelligence firm Intel 471 illustrates the continued development of Ettersilent in order to bypass multiple security mechanisms (Windows Defender, AMSI, email services).
According to Intel 471, many cybercriminals have started using services like IcedID, QakBot, Ursnif, and Trickbot to distribute malicious files that look like DocuSign or DigiCert protected files.