According to ThreatPost, website contact forms and Google URLs are being used to spread the IcedID trojan, according to researchers at Microsoft.

Attackers are using “contact us” forms on websites to send emails targeting organizations with trumped-up legal threats, researchers said. The messages consistently mention a copyright infringement by a photographer, illustrator or designer, and they contain a link to purported “evidence” for these legal infractions. But the link in actuality leads to a Google page that downloads IcedID (a.k.a. BokBot), which is an information-stealer and loader for other malware.

“As attackers fill out and submit the web-based form, an email message is generated to the associated contact-form recipient or targeted enterprise, containing the attacker-generated message,” according to Microsoft’s recent posting. “The message uses strong and urgent language (‘Download it right now and check this out for yourself’), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.”

Researchers found that attackers used fake names that start with “Mel,” such as “Melanie” or “Meleena,” and used a standard format for their fake email addresses that include “m,” words associated with photography and three-digit numbers; i.e., mphotographer5[email protected] or [email protected]

The links take victims to a page, which asks them to sign in. Once a person signs in, the page automatically downloads a malicious .ZIP file, which when unpacked contains a heavily obfuscated .JS file, researchers said. Microsoft explained that the .JS file is executed via WScript, and that it creates a shell object that in turn launches PowerShell and downloads the IcedID payload in the form of a .DAT file.

The file also contains a Cobalt Strike beacon in the form of a stageless DLL, giving attackers remote control of the victim’s machine. Cobalt Strike is a penetration-testing tool that sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack; however, threat actors have since figured out how to turn it against networks.

The analysis shows that the downloaded .DAT file loads via the rundll32 executable, which then launches various information-gathering commands. Those include obtaining antivirus info; getting IP, domain and system information; and dropping SQLite for accessing banking and other credentials stored in browser databases.

“When run, IcedID connects to a command-and-control server (C2) to download modules that run its primary function of capturing and exfiltrating banking credentials and other information,” according to Microsoft. “It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally and delivering secondary payloads.”

The campaign is also using a secondary attack chain, researchers said, in case the page is taken down.

“In the secondary chain, users are redirected to a top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file,” they explained. “Further analysis reveals that the forms contain malicious links that download the IcedID malware.”


SpearTip’s experts understand the social engineering tactics threat actors use to manipulate average internet users. When you receive an email, don’t open it unless you can confirm the sender is legitimate. Threat actors are using these forms because they can bypass spam filters once it is filled out.

Leaders in your organization need to realize their employees are the main way their entire operation could be compromised. As companies grow, so does their risk of a cyber attack. This is why training your employees on what threats to look for on the internet is a great step to a more secure network. To go even further, call our security operations center. Our certified engineers are capable of responding to intrusions immediately and mitigating threats before they do any harm to your organization.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.