FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
agat
Staff
Staff

Introduction

IcedID aka BokBot, is a banking trojan, this trojan gathers financial information of the victim including login information of online banking.  This can also act as dropper for other malware. IcedID is typically distributed through phishing campaigns and has reportedly been distributed as a second stage payload through other distribution tools such as Emotet. Previous versions of IcedID used Microsoft office files with embedded VBA macros to download the first stage dll. However, in the latest versions the attachments are .iso files containing Windows lnk file, a Windows batch file (.bat) and malicious dll file. Since malware is using iso files, this helps it bypass Mark-of-the-Web [1]  controls and run without giving any warning to user.

agat_6-1664425205638.png

Figure 1 IcedID Attack Diagram

 

Initial Execution

The most current IcedID campaign observed by the FortiGuard Responder team is initiated through a phishing campaign using a malicious attachment (T1566.001: Phishing: Spearphishing Attachment[2]).  IcedID In this campaign the victim receives a phishing email containing an .iso file as attachment. This iso file contains a lnk file and a hidden folder which contains a bat file and one dll file.

When as .iso file is opened on Microsoft Windows 10 and above by-default Windows will mount the .iso file as a removable drive (typically a CD drive) and open it in the Windows Explorer. In the case of the analyzed IcedID iso file when user opens it by double clicking in explorer user sees only document.lnk file. This matches previously reported IcedID payloads analyzed by the FortiGuard team[3]. Other folder and .bat and .dll files in that folder are hidden. The document.lnk file has icon of a folder to trick user into opening the lnk file. These files and folder structure can be seen in Figure 2 below.

agat_7-1664425205641.png

Figure 2 IcedID iso file contents

 

When the victim executes the ‘document.lnk’ file this lnk file will execute a cmd process to run the bat file in the hidden folder of mounted iso drive. The contents of these bat files are typically obfuscated with basic variable substitution and function nesting in order to hide the commands executed by the bat file. When we analyzed and de-obfuscated the batch file the command executed by the file was “rundll32 <hidden_directory>\tempting.dll #1”. This matches the name of the dll in the hidden folder. It is observed that different samples of the malware can have different names of the hidden folder, bat file, dll file and these appear to be programmatically generated per build. Obfuscated and de-obfuscated data in the bat file can be seen in the Figure 3 below.

agat_8-1664425205650.png

Figure 3 Obfuscated (left) and de-obfuscated (right) bat file contents

 

When the bat file executes the hidden dll file using rundll32.exe. This dll is the main IcedID executable. FortiEDR detects the IcedID payload as a malicious file based on hash reputation and stops the executable loading process. In case of future versions without a known hash, FortiEDR integrates with cloud-based AI and ML resources as well as employing online sandboxing to identify malicious and suspicious files. This event is flagged by the “Malicious File Detected” rule within the “Execution Prevention” security policy. This can be seen in the Figure 4 below.

agat_9-1664425205653.png

Figure 4 FortiEDR detects loading malicious IcedID dll file initiated by the above batch file

 

FortiEDR detects and prevents the malware dll file attempt to communicate with it’s C2 server. This event is detected by the “Malicious File Detected” and “Unmapped Executable” rule within the “Exfiltration Prevention” security policy. The event generated as part of our analysis can be seen in the Figure 5 below.

agat_10-1664425205659.png

Figure 5 FortiEDR blocks C2 communication initiated by the malicious IcedID dll file

 

When the dll file was analyzed, there were custom sections found in the file. These sections had very unusual names (i.e. .QUUa , .ecEk, .tre, .hyt), anomalous entry points and high entropy which can all be indicators of malicious executables. This can be seen in the Figure 6 below.

agat_11-1664425205662.png

Figure 6 Possible packed sections in the dll file shown in tool PEstudio

 

Conclusion

In this article we have analyzed an IcedID sample from a recent campaign and observed how the FortiEDR detects the malicious sample and blocks communication of malicious sample with its C2 server. Through these protections FortiEDR has demonstrated its ability to mitigate this type of intrusion throughout the installation and command and control stages of the kill chain. FortiEDR also provides the ability to create additional detections targeting specific behavior linked to threats like IcedID. These detections are built around telemetry collected by the FortiEDR Threat Hunting module. To assist defenders in threat hunting activities targeting potential IcedID activity some queries designed to capture IcedID specific behavior and indicators are shown below. For a more in-depth technical analysis of a previous IcedID payload checkout this three part blog from the FortiGuard team: https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.

 

 

Threat Hunting

The following query can be used to identify HTTP Request events associated with communication to the IcedID C2 domains identified from the sample analyzed in this article. This query identifies the “HTTP Request” events which have the URL field matching the malware C2 domain. Note that this will only detect connections to domains associated with known C2 associated with the analyzed campaign.

 

Type:"HTTP Request" AND URL:("http://lionafuyesas.com" OR http://academfleedalas.com OR "https://heldosant.com/k309/" OR "https://moxisoma.com/r021/" OR "https://microark.org/r021/" OR "http://satisfyammyz.com/")

 

 

 

 

To find TCP connections to C2 IP address by rundll32.exe we can use “Socket Connect” events. To narrow down false positives we can use the source process name “rundll.exe” with list of C2 addresses in the RemoteIP field. The following query can be used to find these events. Note that this will only detect connections to IPs associated with known C2 associated with the analyzed campaign.

 

Type:"Socket Connect" AND Source.Process.Name: rundll32.exe AND Source.Process.Parent.Path:"cmd.exe"  AND RemoteIP:(207.154.202.192 OR 164.92.176.20 OR 104.223.118.70 OR 176.31.136.228 OR 185.150.117.221 OR 193.27.14.250 OR 45.66.248.244 OR 45.66.249.26 OR 5.199.168.125 OR 5.2.70.56 OR 64.44.102.45 OR 66.63.188.146 OR  79.110.52.32 OR 85.239.52.115 OR 85.239.52.70 OR 85.239.55.238 OR 91.238.50.123)

 

 

 

 

As highlighted above, IcedID uses a Windows batch file to execute and load its main malicious dll file. We can identify Process Creation events for cmd.exe executing specific bat file names taken from two recent IcedID samples using the following query. Note that this will only capture the analyzed campaign and may not detect new variants.

 

 Type:"Process Creation" AND Source.Process.Name:"explorer.exe" AND Target.Process.File.Name:cmd.exe AND Target.Process.CommandLine:(caption.bat OR hanging.bat)

 

 

 

 

On execution, the IcedID bat file will spawn a rundll32.exe process with the malicious IcedID dll file name and function name within the command line arguments. This information will be captured  in Process Creation events where the target process is “rundll32.exe” and the command line for the target process is <hidden_folder>\<malicious_file.dll>,<function_name>. The following query will return associated Process Creation events for the samples analyzed in this article:

 

Type:"Process Creation" AND Target.Process.Name:"rundll32.exe" AND Target.Process.CommandLine:("#1")

 

 

 

 

Since the malware tries the malicious dll file from the mounted iso file. We can create a query for “Library Load” events where rundll.exe file tries to load a dll file from a removable volume. This is typically anomalous behavior but may generate FP alerts where software is run directly from USB or other removable media as part of core business functions. This can be achieved by following query:

 

Type:"Library Loaded" AND Source.Process.Name:"rundll32.exe"  AND Target.Executable.File.VolumeType:"Removable" AND Target.Executable.File.Ext:dll

 

 

 

 

 

MITRE ATT&CK

Initial Access – TA001

Technique ID

Technique Description

Observed Activity

T1566.001

Phishing: Spearphishing Attachment

Actor sends phishing email with malicious iso file to the victim to gain access to the victim system.

 

Execution – TA002

Technique ID

Technique Description

Observed Activity

T1204.002

User Execution: Malicious File

In case of IcedID the user is tricked in to opening the .lnk file in the iso image by changing the logo of the shortcut to look like a folder.

 


Defense Evasion - TA0005

Technique ID

Technique Description

Observed Activity

T1620

Reflective Code Loading

The bat file in the iso file package loads the malicious dll file using rundll32.exe process, which then reflectively loads the final payload. This loaded payload then communicates with C2.

T1027.002

Obfuscated Files or Information: Software Packing

PE dll file has an executable sections (e.g. .QUUa, .ecEk, .tre, .hyt) with high entropy which is very likely to contain packed code

T1027

Obfuscated Files or Information

The bat file in the iso package is obfuscated so that user should not easily find out what commands are run by the batch file.

T1218.011

System Binary Proxy Execution: Rundll32

Malware runs a dll by using rundll32.exe to do proxy execution of malicious code. This is done to avoid triggering of security products.  In this case name of dll file is tempting.dll and function called is #1.

 

Command and Control - TA0011

Technique ID

Technique Description

Observed Activity

T1071

Application Layer Protocol

The malicious dll file connects to C2 using HTTPS protocol. Connections are made to dedicated malicious domains rather than compromised infrastructure.

 

IOCs (Indicators of Compromise)

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

First

Observed

C2 IP

207[.]154[.]202[.]192

IP Address

Command and Control

This C2 IP was contacted by IcedID malware following execution of the dll payload.

2022-09-01

C2 IP

164[.]92[.]176[.]20

IP Address

Command and Control

This C2 IP was contacted by IcedID malware following execution of the dll payload.

2022-09-05

C2 Domain

Lionafuyesas[.]com

Domain

Command and Control

 

This Domain was contacted by IcedID malware following execution of the dll payload.

2022-08-31

C2 Domain

academfleedalas[.]com

Domain

Command and Control

 

This Domain was contacted by IcedID malware following execution of the dll payload.

2022-09-06

SHA1 Hash

013e93e953baf32d993b31e647dd359320326aed

SHA1 Hash

 

Execution

 

Malware iso file hash

2022-08-31

SHA1 Hash

c2231a853f5ad9b4d2da37d8fa27b251a6dea46c

SHA1 Hash

 

Execution

 

Malware iso file hash

2022-09-06

SHA1 Hash

022964897584502a0d3926fce3daf2bf84cef524

SHA1 Hash

 

Execution

 

Malware lnk file hash

2022-09-12

SHA1 Hash

8e38e658660edd09feb819ac10a7308aea9678ea

SHA1 Hash

 

Execution

 

Malware lnk file hash

2022-09-06

SHA1 Hash

a83fc75e022ae45273cda2922018e4e5d7b9424f

SHA1 Hash

 

Execution

 

Batch file executed by Malware through lnk file

2022-09-12

SHA1 Hash

cb32d80822b3a8700b225197ccb7f9f1a24a7387

SHA1 Hash

 

Execution

 

Batch file executed by Malware through lnk file

2022-09-06

SHA1 Hash

aa825123593da665b6fcaba65d5a9ee7fa8288bb

SHA1 Hash

 

Execution

 

dll file loaded by Batch file using Rundll32.exe

2022-08-31

SHA1 Hash

92be0f6f6009cf96c0e01186459ae58b02b7c62c

SHA1 Hash

 

Execution

 

dll file loaded by Batch file using Rundll32.exe

2022-09-12

 

 

[1] https://attack.mitre.org/techniques/T1553/005/

[2] https://attack.mitre.org/techniques/T1566/001/

[3] https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id

Contributors