Analysis of Iced ID campaign – Part 2

• Distribution: IcedID is often distributed through phishing emails containing malicious attachments or links. These emails might appear legitimate and convincing, luring victims into opening attachments or clicking on links that ultimately lead to malware installation.
• Infection Chain: Once a victim’s system is infected, IcedID typically employs a multi-stage infection chain. This means that the malware goes through multiple steps to download and install its various components, making it more challenging to detect and analyze.
• Information Theft: IcedID specializes in stealing sensitive information, primarily focusing on financial data. It can capture login credentials from web browsers, financial software, and other applications. Additionally, it can intercept and manipulate online banking sessions to initiate fraudulent transactions.
• Evolution of IcedID code: Malware developers often update and evolve IcedID to stay ahead of security measures. New versions might include improved evasion techniques, encryption methods, and more advanced communication protocols with command and control servers.
• Botnet Functionality: IcedID can turn infected machines into part of a botnet. This means that attackers can remotely control and utilize the infected computers for various malicious activities, such as spreading malware further or launching distributed denial-of-service (DDoS) attacks.
• Persistence: IcedID aims to establish persistence on an infected system, making it difficult to remove. It can create registry entries, scheduled tasks, or use other techniques to ensure that it remains active even after a reboot.

Infection Chain:

Sample Information:

Threat Name: IcedID | Classification: Trojan | Category: Dropper

Technical Analysis of IcedID HTML:

HTML, short for Hypertext Markup Language, is a markup language utilized to establish the structure and visual presentation of web pages. An HTML file is composed of various elements that define the content and organization of a web page.

After opening the HTML file, the victim will get this page. Also, it states that it’s from the safer google link.

Initial Template of the Iced ID Campaign

Main Content of the HTML file

Let’s examine the HTML file structure:

<!DOCTYPE html>: This declaration specifies that the document is an HTML5 document.

<html>: The root element that encompasses the entire HTML document.

<head>: Contains meta-information about the document, such as the title, character encoding, and external file references.

<title>: Sets the title of the web page, displayed in the browser’s title bar or tab.

<meta charset=”UTF-8″>: Specifies the character encoding of the document as UTF-8, supporting a wide range of characters.

<link rel=”stylesheet” type=”text/css” href=”styles.css“>: Connects an external CSS file to style the web page.

<body>: Contains the visible content of the web page, such as headings, paragraphs, images, and other elements.

<header>: Represents the introductory content of the web page, often containing branding, logo, and primary navigation.

<h1>: Denotes various levels of headings, with <h1> being the highest level. ❖ <nav>: Defines a section of the web page containing navigation links.

<ul> and <li>: Used to create an unordered list and its list items.

<main>: Represents the main content of the web page, excluding header, footer, and minor sections.

<section>: Defines standalone sections within the web page.

<p>: Indicates a paragraph of text.

<img src=”image.jpg” alt=”Image”>: Inserts an image into the web page, with the source (src) attribute specifying the image file and the alt attribute providing alternative text.

<footer>: Contains the footer of the web page, usually including copyright information, links to terms of service, and other relevant details.

Base64 Embedded Content:
Here we can see the text content which states that “Google safe browsing service is unavailable. Please download the file manually and run again” It’s a fake template to believe that the file is from the legit google domain.

Base64 Encoded Technique:

Base64 Main Content:

Decoded Content:

Downloaded Decoded Sample

The choice of encoding is important as it influences the storage of strings, which consist of character collections, in memory. Additionally, managing encoding can be challenging due to potential information loss, errors, or inconsistencies they may introduce.

Indicators of Compromise for IcedID sample:

Here’s the captured data of GET /crown20(.))js HTTP/1.1 Packets

VT Results:

In the VT results, it shows the submitted URL is malicious and it’s downloading the IcedID payload malware and surprisingly it’s still in live.

MITRE ATT&CK Tactics & Techniques for IcedID sample,