Analysis of IcedID campaign

IcedID is a banking trojan malware that allows attackers to steal victims’ banking credentials. IcedID, also known as BokBot, primarily targets businesses in order to steal payment information. It also serves as a loader and can deliver additional modules.

This blog will provide a thorough study of a new IcedID malware sample.

Infection Chain:

The new IcedID campaign uses a spam campaign with attachment (EML) as the initial infection vectors to infect the victim machine. It includes Microsoft Office documents (.DOC) with VBA macro content. They entice the user to allow the macros to do their work. When the user enables the content, the payload file [.DLL] with an unknown extension is dropped directly. Then, using its export function, the malware will carry out the intended action and transfer the collected data to its C2C server.

Sample Information:

File Metadata/Properties:

Technical Analysis of DOC:

Sample     : edc11aa4b1212f620cc1fc0c12d79dee23511467a7fd955e9afad88ed250e765
Category  : Dropper
Campaign: IcedID

Once the user opens the document, there’s an enabled content button. There’s a fake template of MS – DOC where the image is blurred, with which this malware author tricks the user to enable it to view the document.

Macros:

In general, we can see the macro content and debug. But, for this VBA codes are hidden, and we can’t view directly. It’s one of the tricks used by the malware authors. Macros is a programmable pattern which translates a certain sequence of input into a preset sequence of output. Macros can make tasks less repetitive by representing a complicated sequence of keystrokes, mouse movements, commands, or other types of input.

Export Function:

Here, the VBA code is heavily obfuscated and there’s loads of functions. The main purpose of this function is to drop the payload file and it may be real malware or another dropper. Usually, this process depends on the malware author.

Enabled Content:

Upon enabled content, the malicious document executes VBA macro codes to drop IcedID on their specified location. This time, it’s on the “C:\ProgramData”.

As we all know, that ProgramData folder is one of those important system folders. It contains all the data for Windows classic and UWP applications. It is hidden by default because it is not meant to be seen by anyone or tampered with.

Dropped Payload file Analysis:

Entry point with export function:

To find the exact import function of the malware, we need to check one by one and here, the command line is straight forward and using this export function and rundll32 the payload is executed.

Manual Checks:

Export Functions:

Exporting a function from a DLL is nothing more than adding the function to the symbol table. This makes it possible for code outside your DLL to call the function, because now external code can look up where the function starts.

Signature of IcedID threat actors

Threat actors behind the IcedID campaign have used a few different methods to deploy the malware, and as with most cyberattacks, these methods are evolving — making IcedID more difficult to detect. However, there are a few techniques that have been observed in conjunction with IcedID campaigns.

Presence of Cobalt Strike framework: According to threat researchers, Cobalt Strike, a popular command and control (C2) framework used legitimately by penetration testers, has been seen in multiple IcedID attacks in recent past, around January 2022. Within 20 minutes of infection, LMNTRIX CDC observed IcedID malware attempting to load Cobalt Strike. Adversaries used four different Cobalt Strike servers in the “Stolen Image Evidence” campaign, which were used to access LSASS memory and perform process injection, among other things.

The use of ISO and DLL Files: According to LMNTRIX CDC, some variants of IcedID has abandoned office documents in favour of ISO files containing a Windows LNK file and a DLL file. Threat actors can circumvent Mark-of-the-Web controls, a security feature that prevents files from performing certain actions, by using ISO files. This allows attackers to execute malware without alerting the user.

Using the built-in Windows binaries:  IcedID threat actors also take advantage of legitimate tools that are already present in a target environment, a strategy known as living off the land. For example, in the “Stolen Image Evidence” campaign, threat actors used Windows utilities such as net, wmic, chcp, and nltest to perform system discovery.

Conclusion:

Conversation hijacking employed by IcedID variants emerges as a powerful social engineering technique, that can increase the success rate of an attempted phishing campaign. The payload has been switched from office documents to ISO files from time to time, with commodity packers and multiple stages used to conceal malicious activity. IcedID is capable of propagating throughout the network, allowing it to monitor all activity on the infected system, exfiltrate data, and conduct a man-in-the-browser attack. In specific, the man-in-the-browser attack is made up of three steps: Web-injection, Proxy Setup and Redirection.

 

IOCs for Detecting IcedID malware:

THREAT IDENTIFICATION:  ICEDID (Bokbot)

SUBJECTS OBSERVED: Subject may have been from a previously stolen email thread – can’t say for sure.

SENDERS OBSERVED: rherrera@m3rxant(.)com

MALDOC FILE HASH

irvineonline,document,09.26.22.doc

7fbf23063a7dda5bfad4787a24231499

VBA LAUNCH COMMAND

Shell ReembroiderMormondomUnleathered(“3931245045456261″) + ” ” + BeziqueMalellaMemorise + “,PluginInit”

(uses rundll32)

PAYLOAD FILE HASH (Manually extracted)

Extracted_IcedId.dll

ed453684a0a54fee5acda4230e7cc049

Dropped to C:\Users\all as:

46273883.314

ed453684a0a54fee5acda4230e7cc049

ICEDID CAMPAIGN ID: 742081363

ICEDID C2: hxxp://scainznorka(.)com/

SUPPORTING EVIDENCE: hxxps://tria(.)ge/220926-yytwladadr

Reference link: https://github.com/executemalware/Malware-IOCs/blob/main/2022-09-26%20IcedID%20IOCs

Based on the C2, we found the following list of hashes from our threat intel:

SHA256
87684f6b5141c781f2f9bba8b6317a7138c609c00c240c09d21872eea06a06b1
242da7effd209f9d7c0f497b508b4f5c4ea0802c1ad45028bcaf088dc721ab4e
b3ed2de0e147060a7d2cd7def624976d606e7937e7b2e22e805a9961430d4fb6
f6c3820c214d02644fd1194eee8d3ed23eb18a2e9c85851197556f7bbc068503
58ce514c8b740fdfe115bc19d65ed5e2f8d0df045cdd4e5611ec213382a56e3b
cc42ef46da6aaeba9e41b2c5ac494f59383fec47f5736d27d4654613fe4cc610
e2ba042f4194826bed8a8ba388dd26755cb76d5e82811f86e418f377b6fc3791
994afac3be849124810bf5eac058baf805cee4fb17d9f1d74f48d645f456911e
58f9be151a7edb6fab36fb7ca9dfdfcd9ebd257d4d30bac1d1042c0bdd1ef38c
d50af70fb63188c270ec67734bc1c9de8a4120ca5088c242fbb20123f98adfdd
0b1b3f889461485e71868160f46aeb008d8dd68c44b7b2e2f6f2c3e8831aae8b
f29e633a2bc1afed5f4dbfb62d82e47754d8f0d31dd247f62febd8810e1fe881
b7d4e61a508f579f9758fbb34a24822f1a7882cda5437626b7fea130b8a4abf6
dff04640f0895983445a91d46d359606f5dbfaed3abc5593bcbe5fbfd2f1c318
f59f47970092e69c7fe1d8473dd57c3fd946eccd80b67ab1131a0c82c1aa025d
10c00de5df9f12d59e7113dfac0618f26a8b16a19312c576c616ac757e4448e5
28c39e238da2f920b7407370ada35aceedb457205a4dd3531e238b1f3c264b0d
ebaa68738173a87e2dbde383c8879facc05def85da47be4e8be6fc369e7f232f
151e6e9aaffbc08ecaaba6feee9868708a69a686d67a64af41f749a05c1fa220
f7da1b974bbb5d89b09ec477b235e50b0f3035211a969c9b09f6fcf7df9ef675
de2d8a887e2d5950f27287c587e0895a52774aad7e61f472be74ddfe44ea5d71
b86f5a1bfb1b69c4b4137d98a5c4ef46d9da5d75ea8748f52cd22758781d7369
8279ce959f0a6218a93336f9ce5e9cbee68e62faf40027e33acd968237acdf71
da08cc0f50eedb128dcd8027450329fc5f8f51c81aa24d86c79789d278918f78
297216dc24f4d311ab548ded700e850ed72aebcbff60e9a21574f9b651b33273
f0fe9a6eb424f7e7c63ff495b7576cfcf29676ae9dc5b8539808f5ffd763be5e
578a35e36d8e6a9328cec388852679bac9c7fc9d1cb60a6350ebd9f6a65cc563
a36f793145c7a775fca887e5ada691ec71137678da479a476bfe70fc1e30e57f
5cc55537a511195f7156af0e5ba37f4b02c124e2e2576561a50efbb23c7e1ed6
ebf4a084e6d4a5f9799da0d09a670ed79107193f35907a103f339471d65a9125
cb7b6d4c2ff89c0d673c3026033b840e8f766c11b7af0983cb0267392a01bc2d
5b067b3377033144b982410f226ce45007b3615446b3b72c5dc1468bb6864447
e0f330fce3d6e226cc531b6b943a3ca33e81ee683f3068d0ae5a8e7553e20df2
ab820915d00cf32c67fbaa79b4ee3ce7bf9d9d3357bea3a53b54f429e03a3c63
38d1be9067da72a234a872f6a3734df25a7e5b147d862d96a83618e58b2a45f7
365a9fc593e0f936bf27b71a27557c47cb77cd9a8d8cd8531537a1fee844b6f7
0ce40e119c53aed71cf0958e4b8ed239e14b3e6453b455a2c5dc616bc9b8c0b9
807fb8634a8e1fea7d7927dd6b00a351e51b8533009d76184a930f41ebcbcf49
4aed84df96bdbf16a4f5b4c2a195e9384b891b35328108aae8f3243a50e3dc25
1c54e6547719dd745928ee44e318e98f4b9e5603f70648c53f8efe3587e7c6bf
cb36ff420bbc18158dbfdf3e9068ab775043db2bc61a637ad592a4762ee71b15
1e4fa679abeb3f756d4be4834e7d2681e9e4a889c369722da4777e8008ce4323
828ba54cdeef23fac240726ae04f3768a35dc3c871c9eeaea685421916d872c1
26f492c47084b37acb68702cafda4256054eb8b07dbed4d215ea7844827efd4d
b7c2b49bc0c9fc9ce0668e24229d18f21b18b8bf7c78bc45ffb1293e833cc0ce
35637fabcfe49e7bf98dab87893339ed7da653369921b729ad28ccc8767b7dcc
f30b9c09e25075a6b67aa88252440cc0408b1d5ae3335648dc36bc441f3caacf
29764707bbe878fb00cd85bac9323de74328e33f48d34fbf2073c8ef4aded411
6cf4b6897928f8630040e5cb5db66fc6b979be1d3b8849986db9f0ac5bef1b84
5e65ccccf0031bd22a341a0cc2006598af2086b70a9667779001c380891d00f0
57d2ab6857597731cba0c9d624b35ae36eb5043b142ba3bd0867847daae6540b
b2b88327ebf5d1cdada40abb354b17c0b6963f60b06726bd61c1b8b38a0f5291
c219777c4bdd8df4f3190678b777156b2f81f734f55376a627bedcb4b3daf3dc
f21f2c15e99a4701452813233b3b5b8a20caf54e6185bf25d4dc733b12eb6426
563eba169c321af25eeefb52a0adaac9fc7006d1e8712ca2e4de6937ecef2e07
ae2a13c849149cc0f614e48476d56d18048d716fa2fba3fd1def3445ba4ef1f2
9ec7d14c58d34a094e55bfe20b7dc40c9391d53de9b7c0b6aac2fc7518748330
e269a681bba217da4d23d53a8cb44c19d502af3a25b37c416e0d5f273caf589e
8ae9e035b041deef16e87e81b3fae337f71b15d7d534b86eea1eb24a90d8b2cc
008ea13c67852e41ee23c26ab33ce4537d1c44441fb8ab5d8e1cb13df89f60fd
461e1057fcb66e15536d92acf0da35546ecc6d9c0db677b0dfb0bc23fc2bbe88
06f6b95cd39e770e937dcb94a0a2f11f46fa4500eeaf08e4be270e501ecf7584
213d3eb70ec15b26498f49724494a0d342d7af7fd491c375a0ae056b3689f77a
4d992810e9a05e27afabf2194cd04612dca0a738dc076778a56459cf97c6b9f1
212a3bd1d47d54ea3bc940531f8ca8047842970f87697f2766bcb443d6576ce2
ec11467a9beb27b6329e84a19e90f4563d9720ed8ec1f3c1ae013783061062fa
ef8d859f7a834d90814b0a4a2b323571b46244ffd5286c4bcafaaf88f787032f
50a281a000cf9f1fe9223ea81ccc08a6768208358846a2d32b1399325a6c64dd
f9938f14df5d7889b1dfd3af2d529ceadf1017aa2f83337dad71ee67379d9a3d
0a6b1516e40136f18f0533685991ad8be96cf485b0c638cf5e8359183647eeb2
ea153aab8f9073d6bc3552d78cb0d0fc57a80cbdb437d9d9ffd6e3629d63b19f
5bed7aa2d24f217abcbcef9ba69ea7eac2b58d2bf3921e845934c65efb7fd251
284250c6ed4cce821821c36bcb7782d27c3a095fd24fb761ad4d86bb454e0af3
4de986bc1d553823577929819c03ee508e911384119ebdb1f0d8cb190a7e381e
7fc1d7ba1c77dc2d93a982ea92db6c81d2af658d5ba5116c7167fa82614d114b
ac16d8858e342ed0cba480f808a07f7fbb7aa98472368bf0aace361c56f884f5
1965899f73d123cc4f4cd43f8678e3e98a60ef8b3d079e424619e06d58fd6824
ebc3abd89547ce79d0f33ec18ed216750317fa53cd1aab40fad24f7b19736ebd
31a379b1373f69bea5ca9acdd5a908d787e3f6635ecf48a15f717e3ed7f30adc
81c6bbed61f2ef06c3a64d623a882a9f5d83cf35aa63ee9d90b74af72122d30f
9bfd5599498bfad4ba9169d9bea17272dd2ee9173567de13d0488f536416c2d7
e32d11d7b62d509c8ada08864a4938bbf92e2b7a4f5cb93cf9a387daa20fcf5c
896e724fbfd187e1f588ef44d0b9ed74f60c7c1d334ef45a973ca89204d64d3a
cff784097a93c27539c5cd51c1ff2073fcc45a9dd72209f9c11ad14f034bbf01
0000cee3e4fb7de0585d4184b49f1ed6cb81b01aff38c042d1f9ac9777520bdb
aab35498bda5aad2c0f7485028f118fbf2a0f46faaabe8cba313b87791ace57c
5c14695101c90a32955e970fe35b4ed8bf8db6b7dc08682964985d0a7194ce00
7a584e0486038cb215525eea0dfd5375d196136bcb64f34f9fdfb8ac18eec55b
d698eafa3e84e1f2ddf48f0cb22c59170acea910196e773fdd3484781b5b0369
7778ec0e63f82e94f18b343c2ebe1950b6057a1dc3067c1aeedc0ed6cbe69355
abac9e6498ed2656b39f73aa3cfcc265c59c04e58c2a6e161214b6665cc36095
cf87fceb65b025e6f9f824496762f234ea3e043b8b4150df251d28cc80aaa1a2
80388e408f4208e1ddd8cf42d39ec382fe085819c4431013aeb5e609c32bb014
b5856a4e5db8b095f4571004b938fa09f6b67d2528e7dcb4b3e1f0d2eabeadde
0167b0b10dfbf982e9c3d83dc7095e1975d89d4330f3042d6ceeb4b60cff30b9
8ad5bdf64e1eb484a281d09a2fbdd328a08ee3c3d347a99fb64b50c2352c894d
d81386d5d8563af670454122752a89722a901d1aa76fd4a65b8acfe4f4a76874
f4273d576c6c363c06646c8c39fb5090b51289e181203d09997244b673ef899f
96f4b5d7a36e0beb974712736292680ab6371df4c167914fe6570fbbabf19aa0
a72b96afa96d377d5c24a5e10b117951502864dac4d0a301bfcfcc3f702d19bd
86905033625f22c13a09dbdf5332c31a1a853ca26a83dc4c5188708a5a035fff
16eb58ed162137bd71290883d35032cbe2f7d68fbfd3b95a9ba2f61a55112db1
123b4be16b0465724861d6b0ed11c42d9803acab63ed981ad377647fc6905df1
5202027e3353157e3865c93d0db64452cbc69283fa6d061642398b5b5141223d
2f8f6110054f03d8978dd027c0b22d6ad4e7e31a4b3dc181e85b3fd80ad8804d
80a44124ac0e7a9d5857dd15535b4353099272b1803b2029262d0e9d2b4a927d
ff22f8e204e940c2ce2652c5be030577782bd90274b1113a8f659d0d18abe5da
b223d5f24de69721464f9072d01677a8f3eae0c7908441471601add0fb5cd037
a586f7e99af6232f33d3b7971f4c3107c9f45d086e18a29314c082b84d332d34
6d8a66cddd81c9d8ab0f017bd38f72e3dd65235989ed207670fdbc9427f45db1
cccd5cabe6c297fe66bbf2db5d1c9f9d0afef3a2c6a09738b79ad066ae98e23b
e0a4572ceac68b62a9adfef1d8eab7594a6607a1cfb116b7eed59834ea75c99f
5b65ab24590965427d1b15ad17bb03c045283fb07c240cf4109af6be4146e252
d3c9ad050848a150a7fe4e03e0c5da39f1ba8337ea0abf22fdc0302ac963db0b
b0fcc7aa39349b93b6913d5e8d08d6df8389e654740087fa5886d5c91d727010
42b762dc99de727b9a266549de40dcc48cdda87485fe8f349a3119bd92b389c7
ce19eaf23b475b113f9fc84ac3bbaf94d474b0b806b4aad7887412120cb9110c
43eedb0633bf7216c1ff47b8a04c0902b669f0b90883d24d488a150af11848ed
f42c62d9eba4fffe26c0ee87116c53cc91610f98b9c3625819d60c8502b74986
bc65b9d1bdda2829ff01c3ee12803f834422ed8a209ece5c896d0c1934bd1595
c9284fd6a608d07c4035f24cbfe96b01afd191fe45aeb0b3c31fcebf43051b5b
3e8d73987b1f9063b922aa66eed77d195d350e64fb99f1e3c7c24688ce94a09c
218510104ec2790b67cc45d0f5ceafe1d06ebe5fd2c9a20da013c7f84f3c6554
55344c7adcf3e9ef0e2a4dcf330f34118c49e27112cdc0a12a8ca34033f68e00
d47334b943e152eef809da3d651880e1821749ad9ba2b2e08c9fd5a2db4a8e1c
3dd1014b11a4d4689a549145e18269ebe5c1304f6d5eaa8b766bd90aab328326
87a54c88923ff6436c71f1c74eef0136be386f44a7510f96344df421cdcbae9e
da53ec50385bd308bdae8095edde4f87b59f490ee31c91eecaeebf045a299747
9b00c59ed990ef0ec4b2703e1a59c2c246027054dbba766733fe9c27373f2f98
5c4e8b7df766ffd8ae0df06d9f568289273efd03b943e5b823d9099d8a63e3e6
1630d71da594875c9aa1fd50a955a8adfe02a3bb54d1aa610873cec89ca32911
b4f39dc3490043c899720bd63c0d59cc26c8e14844d25aba02898462aceeb089
2a7196d92a874e93d9c61fe521cc6d9e73f9d6f66d62c122852cf85498785683
99ba6d758426d6773e94eef1e0a9f8a9b0aab30ee48f8454ea5b94e95b274216
7d58275a08f80b689b595cabd092d8466ab645db8de60b9cfde04b89738ff778
edc11aa4b1212f620cc1fc0c12d79dee23511467a7fd955e9afad88ed250e765
44621ab1506fc576aa4a0be857e035ce1ee1d3f65443cfdc0b7e72fda97d1d4e
02b2c06c5f8319035f4b6e90976c80428886a23262217f347e4c2a72e3d7f17d
abc0382a20c86144086e39ccf107bb7702bde07dcc66a06967a01bc15f6a1432
768ae10d748df22e799a878c2bd5eebddd0cd331196d28e26b1a9b2e0ca989c2
f7bdd9ce0ef7f660e4259d70940687780702d2503cce685c4ab4c4ede90e4bab
f93c2c67f9daa2c1c09cf5a48a04cbfb37777f9aff9f8b7f24871b3f052d7925
7a4c98a8dbf9e3a9a08f431dd6ec27419e6f7996f8b2170aa3fb2efd7e6757ab
39af395246a555cdca505f3b7358db16b107bd186b9cbcf18fa573acb4709a5f
048f62452c8cc27f3e6275375122c3d5175e42849f339a41173dbbabdf076bf7
cbfa1b2e962bcdb0f19992d66c87fdd2c2cef4810107d4d51dd6235432e605f1
2811f41a5ad47e5a4482837298b2cd8bddbd635f7db6806ae6784ab0c8661ba6
15ef256e1ecd4e80bd081568ad4bae41f62f1bd4a95451d7af3e79f060531d7f
4f427b863ad4070652fbeecb31a1ef13bc4ae2e680a55dd1589915472d912d06
496aa0c735bbb1d22463bba633c196d111fea07254f4cbaf20e0d2c4ca4a595e
e2c3d8071fba84f2bf949529db0052fd01dfb911cdcd8c88eed773479d7db791
c7392a81e88c1e7d0b6c36c0fc3e0f36f2dd87ce8dd0069b4e08dede9283b5ac
3c808f5d5d5956a7cbae3bb1ee7b6c072f6dd006bb4bdbd8b4db4289dbe37670
1903f69d02939b390578a2143347c6d331e6e62cf7db9b6daf89949fd00dca39
42120051f854a177b4e08490f4bf40d7f398e4be50eaec5950c5256d292b3234
cb63e6a4792e32692f8dcfe70c15c8d1fbe3592c3acfff590b5762d31ff93fdf
196d704161da2a204e24e80f94505988096e05c99683e50718fd72bc83aa477e
4ef50ecd86e1d0de1b4c67247190539c0190906406d0bebee2aa6533208184db
0a7f377d19ba4c93d523af53cd58cbb00d05e070823d6ce6c967990d40cfcaa1
d5443150fb2dd12ef3d7b5e4fe1f0e9e2f70506404cf1ebb97c24a53d841fd13
676c6889f1119a53fb5d3fc9520757f02917bd0f5d045c27f4c4660b6990640b
72a1f403a8c5d7ddd2b88f3b12653f4214e8e76a33baac3684813e3fb8353425
665c6ee253328ee1b26c9a7119559404b93738d1ce991939aa68568a2f430783
48aa0dd615a8a2eded6f58bbd94ffe4f54bdd7685d67663d58c84f581185c220
d233b55cbaa4411d0cc03c6452ef47d11ce2f759d1784ffb964d48775c2857f0
93e123edf1ac9694a46e549e336b275f63ce9ceb3f27c4df0936f16027b1fb13
660dea4978c28bdf3bbe6f787aa542627d4806bac990fca7e1bc7f882d3bb873
35eb50c57424f9bb8c2055093d7c7657cbacb8b456f28374bd1cab646689927f
247a582f79b8ac531d5cba1e94913c212ac1a1b28545ee3ed942ed1d22ac1b72
03d5362113f95a23c66503be44934867f8f4d24a698571ce503b6c2b5b1826e0
1081a3a52a5fc8709da116cbc75e464c86df06f2dd4302db45de0f2c7733ad45
0296a52b9f9d974354ff716eed586ac71e2406611dc9013081846c90c05344c9
f6c92ff1db6bfab8dcc9bb202af11d6c5b0cbc9c780e7bb329badfd33f879481
Tags: No tags

Comments are closed.