Introduction
IcedID aka BokBot, is a banking trojan, this trojan gathers financial information of the victim including login information of online banking. This can also act as dropper for other malware. IcedID is typically distributed through phishing campaigns and has reportedly been distributed as a second stage payload through other distribution tools such as Emotet. Previous versions of IcedID used Microsoft office files with embedded VBA macros to download the first stage dll. However, in the latest versions the attachments are .iso files containing Windows lnk file, a Windows batch file (.bat) and malicious dll file. Since malware is using iso files, this helps it bypass Mark-of-the-Web [1] controls and run without giving any warning to user.
Figure 1 IcedID Attack Diagram
Initial Execution
The most current IcedID campaign observed by the FortiGuard Responder team is initiated through a phishing campaign using a malicious attachment (T1566.001: Phishing: Spearphishing Attachment[2]). IcedID In this campaign the victim receives a phishing email containing an .iso file as attachment. This iso file contains a lnk file and a hidden folder which contains a bat file and one dll file.
When as .iso file is opened on Microsoft Windows 10 and above by-default Windows will mount the .iso file as a removable drive (typically a CD drive) and open it in the Windows Explorer. In the case of the analyzed IcedID iso file when user opens it by double clicking in explorer user sees only document.lnk file. This matches previously reported IcedID payloads analyzed by the FortiGuard team[3]. Other folder and .bat and .dll files in that folder are hidden. The document.lnk file has icon of a folder to trick user into opening the lnk file. These files and folder structure can be seen in Figure 2 below.
Figure 2 IcedID iso file contents
When the victim executes the ‘document.lnk’ file this lnk file will execute a cmd process to run the bat file in the hidden folder of mounted iso drive. The contents of these bat files are typically obfuscated with basic variable substitution and function nesting in order to hide the commands executed by the bat file. When we analyzed and de-obfuscated the batch file the command executed by the file was “rundll32 <hidden_directory>\tempting.dll #1”. This matches the name of the dll in the hidden folder. It is observed that different samples of the malware can have different names of the hidden folder, bat file, dll file and these appear to be programmatically generated per build. Obfuscated and de-obfuscated data in the bat file can be seen in the Figure 3 below.
Figure 3 Obfuscated (left) and de-obfuscated (right) bat file contents
When the bat file executes the hidden dll file using rundll32.exe. This dll is the main IcedID executable. FortiEDR detects the IcedID payload as a malicious file based on hash reputation and stops the executable loading process. In case of future versions without a known hash, FortiEDR integrates with cloud-based AI and ML resources as well as employing online sandboxing to identify malicious and suspicious files. This event is flagged by the “Malicious File Detected” rule within the “Execution Prevention” security policy. This can be seen in the Figure 4 below.
Figure 4 FortiEDR detects loading malicious IcedID dll file initiated by the above batch file
FortiEDR detects and prevents the malware dll file attempt to communicate with it’s C2 server. This event is detected by the “Malicious File Detected” and “Unmapped Executable” rule within the “Exfiltration Prevention” security policy. The event generated as part of our analysis can be seen in the Figure 5 below.
Figure 5 FortiEDR blocks C2 communication initiated by the malicious IcedID dll file
When the dll file was analyzed, there were custom sections found in the file. These sections had very unusual names (i.e. .QUUa , .ecEk, .tre, .hyt), anomalous entry points and high entropy which can all be indicators of malicious executables. This can be seen in the Figure 6 below.
Figure 6 Possible packed sections in the dll file shown in tool PEstudio
Conclusion
In this article we have analyzed an IcedID sample from a recent campaign and observed how the FortiEDR detects the malicious sample and blocks communication of malicious sample with its C2 server. Through these protections FortiEDR has demonstrated its ability to mitigate this type of intrusion throughout the installation and command and control stages of the kill chain. FortiEDR also provides the ability to create additional detections targeting specific behavior linked to threats like IcedID. These detections are built around telemetry collected by the FortiEDR Threat Hunting module. To assist defenders in threat hunting activities targeting potential IcedID activity some queries designed to capture IcedID specific behavior and indicators are shown below. For a more in-depth technical analysis of a previous IcedID payload checkout this three part blog from the FortiGuard team: https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.
Threat Hunting
The following query can be used to identify HTTP Request events associated with communication to the IcedID C2 domains identified from the sample analyzed in this article. This query identifies the “HTTP Request” events which have the URL field matching the malware C2 domain. Note that this will only detect connections to domains associated with known C2 associated with the analyzed campaign.
Type:"HTTP Request" AND URL:("http://lionafuyesas.com" OR http://academfleedalas.com OR "https://heldosant.com/k309/" OR "https://moxisoma.com/r021/" OR "https://microark.org/r021/" OR "http://satisfyammyz.com/")
To find TCP connections to C2 IP address by rundll32.exe we can use “Socket Connect” events. To narrow down false positives we can use the source process name “rundll.exe” with list of C2 addresses in the RemoteIP field. The following query can be used to find these events. Note that this will only detect connections to IPs associated with known C2 associated with the analyzed campaign.
Type:"Socket Connect" AND Source.Process.Name: rundll32.exe AND Source.Process.Parent.Path:"cmd.exe" AND RemoteIP:(207.154.202.192 OR 164.92.176.20 OR 104.223.118.70 OR 176.31.136.228 OR 185.150.117.221 OR 193.27.14.250 OR 45.66.248.244 OR 45.66.249.26 OR 5.199.168.125 OR 5.2.70.56 OR 64.44.102.45 OR 66.63.188.146 OR 79.110.52.32 OR 85.239.52.115 OR 85.239.52.70 OR 85.239.55.238 OR 91.238.50.123)
As highlighted above, IcedID uses a Windows batch file to execute and load its main malicious dll file. We can identify Process Creation events for cmd.exe executing specific bat file names taken from two recent IcedID samples using the following query. Note that this will only capture the analyzed campaign and may not detect new variants.
Type:"Process Creation" AND Source.Process.Name:"explorer.exe" AND Target.Process.File.Name:cmd.exe AND Target.Process.CommandLine:(caption.bat OR hanging.bat)
On execution, the IcedID bat file will spawn a rundll32.exe process with the malicious IcedID dll file name and function name within the command line arguments. This information will be captured in Process Creation events where the target process is “rundll32.exe” and the command line for the target process is <hidden_folder>\<malicious_file.dll>,<function_name>. The following query will return associated Process Creation events for the samples analyzed in this article:
Type:"Process Creation" AND Target.Process.Name:"rundll32.exe" AND Target.Process.CommandLine:("#1")
Since the malware tries the malicious dll file from the mounted iso file. We can create a query for “Library Load” events where rundll.exe file tries to load a dll file from a removable volume. This is typically anomalous behavior but may generate FP alerts where software is run directly from USB or other removable media as part of core business functions. This can be achieved by following query:
Type:"Library Loaded" AND Source.Process.Name:"rundll32.exe" AND Target.Executable.File.VolumeType:"Removable" AND Target.Executable.File.Ext:dll
MITRE ATT&CK
Initial Access – TA001
Technique ID |
Technique Description |
Observed Activity |
|
T1566.001 |
Phishing: Spearphishing Attachment |
Actor sends phishing email with malicious iso file to the victim to gain access to the victim system. |
Execution – TA002
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
In case of IcedID the user is tricked in to opening the .lnk file in the iso image by changing the logo of the shortcut to look like a folder. |
Defense Evasion - TA0005
|
Technique ID |
Technique Description |
Observed Activity |
|
T1620 |
Reflective Code Loading |
The bat file in the iso file package loads the malicious dll file using rundll32.exe process, which then reflectively loads the final payload. This loaded payload then communicates with C2. |
|
T1027.002 |
Obfuscated Files or Information: Software Packing |
PE dll file has an executable sections (e.g. .QUUa, .ecEk, .tre, .hyt) with high entropy which is very likely to contain packed code |
|
T1027 |
Obfuscated Files or Information |
The bat file in the iso package is obfuscated so that user should not easily find out what commands are run by the batch file. |
|
T1218.011 |
System Binary Proxy Execution: Rundll32 |
Malware runs a dll by using rundll32.exe to do proxy execution of malicious code. This is done to avoid triggering of security products. In this case name of dll file is tempting.dll and function called is #1. |
Command and Control - TA0011
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071 |
Application Layer Protocol |
The malicious dll file connects to C2 using HTTPS protocol. Connections are made to dedicated malicious domains rather than compromised infrastructure. |
IOCs (Indicators of Compromise)
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
C2 IP |
207[.]154[.]202[.]192 |
IP Address |
Command and Control |
This C2 IP was contacted by IcedID malware following execution of the dll payload. |
2022-09-01 |
|
C2 IP |
164[.]92[.]176[.]20 |
IP Address |
Command and Control |
This C2 IP was contacted by IcedID malware following execution of the dll payload. |
2022-09-05 |
|
C2 Domain |
Lionafuyesas[.]com |
Domain |
Command and Control
|
This Domain was contacted by IcedID malware following execution of the dll payload. |
2022-08-31 |
|
C2 Domain |
academfleedalas[.]com |
Domain |
Command and Control
|
This Domain was contacted by IcedID malware following execution of the dll payload. |
2022-09-06 |
|
SHA1 Hash |
013e93e953baf32d993b31e647dd359320326aed |
SHA1 Hash
|
Execution
|
Malware iso file hash |
2022-08-31 |
|
SHA1 Hash |
c2231a853f5ad9b4d2da37d8fa27b251a6dea46c |
SHA1 Hash
|
Execution
|
Malware iso file hash |
2022-09-06 |
|
SHA1 Hash |
022964897584502a0d3926fce3daf2bf84cef524 |
SHA1 Hash
|
Execution
|
Malware lnk file hash |
2022-09-12 |
|
SHA1 Hash |
8e38e658660edd09feb819ac10a7308aea9678ea |
SHA1 Hash
|
Execution
|
Malware lnk file hash |
2022-09-06 |
|
SHA1 Hash |
a83fc75e022ae45273cda2922018e4e5d7b9424f |
SHA1 Hash
|
Execution
|
Batch file executed by Malware through lnk file |
2022-09-12 |
|
SHA1 Hash |
cb32d80822b3a8700b225197ccb7f9f1a24a7387 |
SHA1 Hash
|
Execution
|
Batch file executed by Malware through lnk file |
2022-09-06 |
|
SHA1 Hash |
aa825123593da665b6fcaba65d5a9ee7fa8288bb |
SHA1 Hash
|
Execution
|
dll file loaded by Batch file using Rundll32.exe |
2022-08-31 |
|
SHA1 Hash |
92be0f6f6009cf96c0e01186459ae58b02b7c62c |
SHA1 Hash
|
Execution
|
dll file loaded by Batch file using Rundll32.exe |
2022-09-12 |
[1] https://attack.mitre.org/techniques/T1553/005/
[2] https://attack.mitre.org/techniques/T1566/001/
[3] https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id
