top of page

Uncovering Updates to IcedID BackConnect (BC) Module Used for Post-Compromise Activity

According to new information divulged by Team Cymru, cyber attackers associated with IcedID, or BokBot, a form of malware related to Emotet and QakBot, have upgraded the BackConnect (BC) module they use in their post-infiltration activities on compromised systems. The malware, initially created for banking fraud in 2017, has shifted its focus from banking fraud to serving as an access point for subsequent payloads, with current versions particularly favoring ransomware dissemination. The BC module, initially spotlighted by Netresec in October 2022, is linked to a unique command-and-control (C2) protocol facilitating command exchange between an infected host and a server. Accompanied by a VNC component for remote control, the protocol has previously been found in other malwares like BazarLoader and QakBot, both of which are no longer in operation. Following their discovery of 11 active BC C2s starting from July 1, 2022, Team Cymru reported in December 2022 that these C2s' operations are likely controlled from Ukraine and Moldova. In another significant development recognized in late May 2023, Palo Alto Networks' Unit 42 stated that BackConnect activity linked to IcedID, which was previously detectable via TCP port 8080, had shifted to TCP port 443 from April 11, 2023, thereby increasing difficulty in detection. An up-to-date evaluation of the attack infrastructure from Team Cymru reveals that from January 23, 2023, BC C2s increased from 11 to 34, with the average server uptime notably decreasing from 28 days to just eight days. A report shared with The Hacker News by the cybersecurity agency noted that as of April 11, 2023, they had identified 20 high-confidence BC C2 servers, inferred from management infrastructure pivots. Further scrutiny of traffic from BC C2 servers identifies up to eight potential victims communicating with three or more BC C2s from late April to June 2023. More worrying is the probability of one IcedID operator or associate accessing multiple victims simultaneously, inferred from the volume of observed traffic between servers and victims. Team Cymru’s examinations of IcedID BC-associated management infrastructure revealed patterns of distinct accesses by users believed to be linked to the daily operations of IcedID and their partners who interact with the victim hosts after compromise. This observation leads to the assumption that certain IcedID victims are being exploited in spamming operations through BC’s SOCKS capabilities. The victims are therefore doubly impacted, not only bearing the brunt of compromise and subsequent data/financial loss but also being co-opted into the spread of further IcedID campaigns. To further enhance your understanding of cybersecurity, enjoy our daily feed featuring insights, tips, and the latest news about cyber threats. To receive these updates, simply sign up for free. For a deeper dive into proactive strategies for addressing insider threats and SaaS Security Posture Management, join our insightful webinar.


bottom of page