Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Tue, Dec 18th):ZIPed Maldoc; Memes Covert Channel; Shamoon is Back

Latest Diaries

Malspam links to password-protected Word docs that push IcedID (Bokbot)

Published: 2018-12-18
Last Updated: 2018-12-18 00:26:00 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Malicious spam (malspam) using some form of password protection is nothing new.  I've blogged about it before, and yesterday Didier Stevens posted an example.

I've been tracking a long-running campaign that uses password-protected Word documents to push various types of malware (more info here).  This campaign recently updated its tactics.  Previously, its malspam had been using attached Word documents to distribute (mostly) Nymaim malware.  However, last week I saw a tweet about the same type of password-protected Word document pushing IcedID (a banking Trojan also known as Bokbot).  On Monday 2018-12-17, MyOnlineSecurity.co.uk reported the same campaign continued to push IcedID, but it had switched to links in the emails instead of using attachments.  Otherwise, the method of infection is remarkably similar to previous waves of this malspam.

Today's diary examines an infection from this campaign that I generated on Monday 2018-12-17.


Shown above:  Flow chart for recent infection traffic from this campaign.

The malspam

Unfortunately, I don't have any copies of this malspam.  Below is a screenshot I created from one of the images in the report by MyOnlineSecurity.co.uk.  These emails contain links using Google that direct traffic to a URL designed to return a password-protected Word document.


Shown above:  Screenshot of a malspam example reported by MyOnlineSecurity.co.uk.

That URL was still active when I checked on Monday, so I used it to download a password-protected Word document.  After unlocking the Word document with the password 1234, I enabled macros infect a vulnerable Windows host.  This Word document used the same template I saw in a recent example that pushed Nymaim last week.


Shown above:  Downloading a password-protected Word document from one of the URLs reported by MyOnlineSecurity.co.uk.


Shown above:  After unlocking the password-protected Word document, enable macros to infect a vulnerable Windows host.

Infection traffic

After the initial traffic returned a password-protected Word document, the next HTTP request returned a Windows executable from 209.141.61[.]249.  Post-infection traffic caused by IcedID was similar to previous IcedID infections I've seen during the past few weeks.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  Certificate data from the HTTPS/SSL/TLS traffic caused by IcedID (1 of 2).


Shown above:  Certificate data from the HTTPS/SSL/TLS traffic caused by IcedID (2 of 2).


Shown above:  HTTP websocket traffic caused by IcedID.

Forensics on the infected host

As usually seen in password-protected Word documents from this campaign, the Windows executable was initially saved as C:\Users\[username]\AppData\Local\Temp\qwerty2.exe.  When the executable was run, it dropped a handful of seemingly random files under the AppData/Local/Temp directory.  The IcedID executable was copied to a folder under the C:\ProgramData directory.  IcedID was made persistent through a scheduled task.


Shown above:  Artifacts from this infection created in the user's AppData\Local\Temp directory.


Shown above:  IcedID made persistent through a scheduled task.

Indicators

The following are indicators from an infected Windows host.  Any malicious URLs, IP addresses, and domain names have been "de-fanged" to avoid any issues when viewing today's diary.

Traffic from an infected Windows host:

  • 209.141.42[.]165 port 80 - 13207303642.aircq[.]com - GET /88924438472
  • 139.59.147[.]170 port 80 - 139.59.147[.]170 - GET /important.doc
  • 209.141.61[.]249 port 80 - 209.141.61[.]249 - GET /23.exe
  • 185.223.163[.]26 port 443 - labadegmc[.]com - HTTPS/SSL/TLS traffic caused by IcedID
  • 185.223.163[.]26 port 80 - emirpa[.]host - GET /data2.php?E846C913B2BC88F9 (caused by IcedID)
  • 195.69.187[.]56 port 443 - seirfa[.]pw - HTTPS/SSL/TLS traffic caused by IcedID
  • 185.223.163[.]26 port 443 - emirpa[.]host - HTTPS/SSL/TLS traffic caused by IcedID
  • DNS queries for foxpartsearch[.]com (not answered)

malware from an infected Windows host:

SHA256 hash: 4b95bb2a583713acb3cfee2996975573f892021a0b4c8880e659bbd569662e64

  • File size: 40,960 bytes
  • File location: hxxp://139.59.147[.]170/important.doc
  • File name: important.doc
  • File description: Password-protected Word doc from links in malspam

SHA256 hash: f476342981c639d55ce2f5471c3e9962fd2d5162890e55d2b4e45ddc641f207f

  • File size: 157,816 bytes
  • File location: hxxp://209.141.61[.]249/23.exe
  • File location: C:\Users\[username]\AppData\Local\Temp\qwerty2.exe
  • File description: IcedID retrieved by the word macro

SHA256 hash: 4028187ea85858aa7372eafb6813e33fe7345f8bc96a4d5291a359255982144b

  • File size: 157,816 bytes
  • File location: C:\ProgramData\{E10EAEFD-3D5F-E2EA-0DBD-B1174931C85D}\gbwwwwj.exe
  • File description: IcedID persistent on the infected Windows host

Final words

A pcap of the infection traffic and malware associated with today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Password Protected ZIP with Maldoc
Dec 17th 2018
17 hours ago by DidierStevens (1 comment)

Random Port Scan for Open RDP Backdoor
Dec 16th 2018
1 day ago by Guy (1 comment)

De-DOSfuscation Example
Dec 15th 2018
2 days ago by DidierStevens (2 comments)

Bombstortion?? Boomstortion??
Dec 14th 2018
3 days ago by Rick (2 comments)

Phishing Attack Through Non-Delivery Notification
Dec 13th 2018
5 days ago by Xme (0 comments)

Yet Another DOSfuscation Sample
Dec 12th 2018
5 days ago by DidierStevens (0 comments)

Microsoft December 2018 Patch Tuesday
Dec 11th 2018
6 days ago by Richard (0 comments)

View All Diaries →

Latest Discussions

PDF vs. DOCX in phishing mails
created Dec 14th 2018
3 days ago by sciurium (0 replies)

Securing AV/IoT best practice question
created Dec 10th 2018
1 week ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
2 weeks ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
3 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
1 month ago by George (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)