State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

IcedID Phishing Campaign

Garden State Cyber Threat Highlight

Original Release Date: 3/31/2023

Summary

Since late last year, researchers noted a shift in the IcedID variants' functionality from online banking fraud to compromising systems with malware. This malware can be used to gain initial access to networks prior to exfiltrating data and launching ransomware infections. The NJCCIC observed a phishing campaign attempting to deliver the IcedID malware to New Jersey State employees. The subject line may vary; however, it typically references a revision of a form or document, as seen in the example above. The email message appears to reply to a previous email conversation thread, a technique referred to as thread hijacking, and contains PDF attachments that often use keywords such as “unpaid,” “march_17,” and a two- or three-digit number. If clicked, the target is directed to a link to download an HTML file, observed using keywords such as “Document,” “date,” and a six-digit number. If opened, the HTML file will drop a JavaScript file and is executed if specific conditions are met, further launching an advanced PowerShell script to download and execute the IcedID malware. Proofpoint researchers highlighted similar variants and campaigns, noting that this phishing campaign was observed distributing the Standard IcedID variant. Analysts identified at least five threat actors, assessed to be initial access brokers, directly distributing this malware in campaigns over the last year.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, before taking action. Additionally, visit websites directly by manually typing the legitimate URL into a browser and refrain from navigating to online accounts via emailed links. Phishing emails and other malicious cyber activity can be reported to the FBI Internet Crime Complaint Center (IC3) and the NJCCIC.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.