Analysis of IcedID campaign

IcedID is a banking trojan malware that allows attackers to steal victims’ banking credentials. IcedID, also known as BokBot, primarily targets businesses in order to steal payment information. It also serves as a loader and can deliver additional modules.

This blog will provide a thorough study of a new IcedID malware sample.

Infection Chain:

The new IcedID campaign uses a spam campaign with attachment (EML) as the initial infection vectors to infect the victim machine. It includes Microsoft Office documents (.DOC) with VBA macro content. They entice the user to allow the macros to do their work. When the user enables the content, the payload file [.DLL] with an unknown extension is dropped directly. Then, using its export function, the malware will carry out the intended action and transfer the collected data to its C2C server.

Sample Information:

File Metadata/Properties:

Technical Analysis of DOC:

Sample     : edc11aa4b1212f620cc1fc0c12d79dee23511467a7fd955e9afad88ed250e765
Category  : Dropper
Campaign: IcedID

Once the user opens the document, there’s an enabled content button. There’s a fake template of MS – DOC where the image is blurred, with which this malware author tricks the user to enable it to view the document.

Macros:

In general, we can see the macro content and debug. But, for this VBA codes are hidden, and we can’t view directly. It’s one of the tricks used by the malware authors. Macros is a programmable pattern which translates a certain sequence of input into a preset sequence of output. Macros can make tasks less repetitive by representing a complicated sequence of keystrokes, mouse movements, commands, or other types of input.

Export Function:

Here, the VBA code is heavily obfuscated and there’s loads of functions. The main purpose of this function is to drop the payload file and it may be real malware or another dropper. Usually, this process depends on the malware author.

Enabled Content:

Upon enabled content, the malicious document executes VBA macro codes to drop IcedID on their specified location. This time, it’s on the “C:\ProgramData”.

As we all know, that ProgramData folder is one of those important system folders. It contains all the data for Windows classic and UWP applications. It is hidden by default because it is not meant to be seen by anyone or tampered with.

Dropped Payload file Analysis:

Entry point with export function:

To find the exact import function of the malware, we need to check one by one and here, the command line is straight forward and using this export function and rundll32 the payload is executed.

Manual Checks:

Export Functions:

Exporting a function from a DLL is nothing more than adding the function to the symbol table. This makes it possible for code outside your DLL to call the function, because now external code can look up where the function starts.

Signature of IcedID threat actors

Threat actors behind the IcedID campaign have used a few different methods to deploy the malware, and as with most cyberattacks, these methods are evolving — making IcedID more difficult to detect. However, there are a few techniques that have been observed in conjunction with IcedID campaigns.

Presence of Cobalt Strike framework: According to threat researchers, Cobalt Strike, a popular command and control (C2) framework used legitimately by penetration testers, has been seen in multiple IcedID attacks in recent past, around January 2022. Within 20 minutes of infection, LMNTRIX CDC observed IcedID malware attempting to load Cobalt Strike. Adversaries used four different Cobalt Strike servers in the “Stolen Image Evidence” campaign, which were used to access LSASS memory and perform process injection, among other things.

The use of ISO and DLL Files: According to LMNTRIX CDC, some variants of IcedID has abandoned office documents in favour of ISO files containing a Windows LNK file and a DLL file. Threat actors can circumvent Mark-of-the-Web controls, a security feature that prevents files from performing certain actions, by using ISO files. This allows attackers to execute malware without alerting the user.

Using the built-in Windows binaries:  IcedID threat actors also take advantage of legitimate tools that are already present in a target environment, a strategy known as living off the land. For example, in the “Stolen Image Evidence” campaign, threat actors used Windows utilities such as net, wmic, chcp, and nltest to perform system discovery.

Conclusion:

Conversation hijacking employed by IcedID variants emerges as a powerful social engineering technique, that can increase the success rate of an attempted phishing campaign. The payload has been switched from office documents to ISO files from time to time, with commodity packers and multiple stages used to conceal malicious activity. IcedID is capable of propagating throughout the network, allowing it to monitor all activity on the infected system, exfiltrate data, and conduct a man-in-the-browser attack. In specific, the man-in-the-browser attack is made up of three steps: Web-injection, Proxy Setup and Redirection.

IOCs for Detecting IcedID malware:

THREAT IDENTIFICATION:  ICEDID (Bokbot)

SUBJECTS OBSERVED: Subject may have been from a previously stolen email thread – can’t say for sure.

SENDERS OBSERVED: rherrera@m3rxant(.)com

MALDOC FILE HASH

irvineonline,document,09.26.22.doc

7fbf23063a7dda5bfad4787a24231499

VBA LAUNCH COMMAND

Shell ReembroiderMormondomUnleathered(“3931245045456261″) + ” ” + BeziqueMalellaMemorise + “,PluginInit”

(uses rundll32)

PAYLOAD FILE HASH (Manually extracted)

Extracted_IcedId.dll

ed453684a0a54fee5acda4230e7cc049

Dropped to C:\Users\all as:

46273883.314

ed453684a0a54fee5acda4230e7cc049

ICEDID CAMPAIGN ID: 742081363

ICEDID C2: hxxp://scainznorka(.)com/

SUPPORTING EVIDENCE: hxxps://tria(.)ge/220926-yytwladadr

Reference link: https://github.com/executemalware/Malware-IOCs/blob/main/2022-09-26%20IcedID%20IOCs

Based on the C2, we found the following list of hashes from our threat intel: