Advisory Type
|
Malware Intelligence |
Malware Name
|
IcedID |
Malware Aliases
|
BokBot |
Malware Type
|
Banking Trojan |
Target OS
|
Windows |
Executive Summary
First noticed in 2017, IcedID is a banking trojan that steals financial information. IcedID has also been leveraged as a dropper for other malware and in the infection stage of ransomware operations.
This malware follows multiple delivery methods, out of which phishing emails with macro embedded attachments are the most prevalent. In a recent campaign involving IcedID, attackers abused website contact forms of multiple enterprises, used emails laced with malicious links, which when clicked downloaded a malicious .zip file. These emails, usually, tend to create a sense of urgency, provoking immediate action.
For instance, the sender pretends to be a photographer threatening legal action against the company for using his photos on their site, without permission. The sender then shares a malicious link which purports to be evidence that proves the incident. On clicking the link, however, the recipient is navigated to a Google page that downloads the malicious .zip file.
Technical Analysis
The phishing emails that IcedID campaigns use contain a malicious link, that when clicked on loads a Google page. This page then requires the unsuspecting victim to sign in with their google credentials. Upon signing in a malicious zip file is automatically downloaded on the victim’s machine. If at all the first link fails, they are redirected to a .top domain which then leads to a Google User Content page that downloads the malicious zip file.
Stages of execution:
- The zip file contains a malicious JavaScript that is executed via WScript
- A Shell object is created after executing the previous JS file
- The Shell object launches PowerShell to download the IcedID payload in .dat format
- The IcedID payload is well encrypted to escape detection
Impact
Technical Impact
- IcedID is a banking trojan that steals the victim’s banking credentials and other financial information in the infected system and sends the information gathered to the attacker’s C2.
- IcedID also acts as a loader for other types of payloads like ransomware, furthering other forms of attacks.
Business Impact
- The banking trojan affects the privacy of its victims and abuses their financial information.
- Infecting the system with ransomware will have an adverse impact on the business and its reputation.
Mitigation
- Raise awareness about phishing emails and malicious links.
- Use Multi-Factor Authentication for all accounts.
- Users are advised to patch their systems and always be up to date.
- Use the latest AV software.
Tactics, Techniques, and Procedures
Tactics
|
Techniques
|
Reconnaissance
|
T1594 |
Search victim-owned websites |
Initial Access
|
T1566.001 |
Spear phishing attachment |
| T1566.002 |
Spear phishing link |
| T1078.002 |
Domain accounts |
Execution
|
T1059 |
Command and scripting interpreter |
| T1059.001 |
PowerShell |
| T1053.005 |
Scheduled Task |
| T1204.001 |
Malicious link |
| T1047 |
Windows management Instrumentation |
Persistence
|
T1053.005 |
Scheduled Task |
Privilege Escalation
|
T1055 |
Process injection |
| T1053.005 |
Scheduled Task |
Defense Evasion
|
T1055 |
Process injection |
| T1218.011 |
Rundll32 |
| T1553.002 |
Code signing |
Credential Access
|
T1555.003 |
Credentials from web browsers |
Discovery
|
T1482 |
Domain trust discovery |
| T1018 |
Remote system discovery |
| T1518.001 |
Security software discovery |
| T1082 |
System information discovery |
| T1016 |
System network configuration discovery |
Lateral Movement
|
T1021.001 |
Remote Desktop Protocol |
| T1021.002 |
SMB/Windows admin shares |
Collection
|
T1185 |
Man in the browser |
Command and Control
|
T1071 |
Application Layer Protocol |
Exfiltration
|
T1048.002 |
Exfiltration over asymmetric encrypted non-C2 protocol |
Impact
|
T1486 |
Data encrypted for impact |
Indicators of Compromise
URL
|
https://tajushariya.com/ds/3003.gif |
| https://partsapp.com.br/ds/3003.gif |
| https://metaflip.io/ds/3003.gif |
| https://columbia.aula-web.net/ds/3003.gif |
| https://agenbolatermurah.com/ds/3003.gif |
Hostname
|
columbia.aula-web.net |
Domain
|
agenbolatermurah.com |
| metaflip.io |
| partsapp.com.br |
| tajushariya.com |
File Hash – SHA1
|
191eda0c539d284b29efe556abb05cd75a9077a0 |
| e2d681cb701cc399f2df1df7ac393440069c0916 |
| 816fd4a3c19d91727c835254c083e7a4e946ad54 |
| dd58c4d4d12797ccc50488bb511288e50d405e66 |
| 7a0ff1d3469babd88dcab8db4c1f802a4228d4ab |
| 922afdba3c7d52a99a7fba0d249297720b4dc811 |
| 30b666cf091d4fd4bc9ce76a0b11daf07f271d5f |
| b7029ba38004200f1b21a4d12337710a67dbea80 |
| 94f7de7ced668fbe9776cfef701b84e375b1c293 |
| fc8b23d3d05c5cc5cab78bae3a84ec8dd9c0eeed |
| 492c512e14cf59a5dfa8d8e5adfd93858e95100d |
| 8617364d8958be0bd0e9cdae7320f5c9aae65208 |
