Today's diary reviews Microsoft Word documents with macros to infect vulnerable Windows hosts with IcedID malware (also known as Bokbot) on Tuesday 2020-07-14. This campaign has previously pushed Valak or Ursnif, often with IcedID as the follow-up malware to these previous infections.
Enabling macros caused the victim host to generate an HTTP request ending in .cab that returned a Windows DLL file.
This DLL file was saved to the victim host in the same directory as the Word document, and it was run using regsvr32.exe [filename].
During a successful infection, we saw HTTPS traffic to ldrglobal[.]casa and subsequent HTTPS traffic to various domain names ending in .top.
The IcedID installer uses steganography as part of its infection process, something reported in December 2019 by Malwarebytes and described by other vendors since then. We saw evidence of steganography typical with IcedID in the infected user's AppData\Local\Temp directory. In this directory, we found a file name ending in .tmp that was a PNG image file, and we also found a Windows executable (EXE) file for IcedID with a file name ending in .exe.
During the infection process, we saw another PNG image that also has encoded data associated with the IcedID infection.
IcedID was made persistent on the Infected Windows host through a scheduled task as shown below.
Indicators of Compromise (IOCs)
35 examples of Word docs with macros for IcedID (read: SHA256 hash file name)
Domains called by the Word macros for the initial malware DLL (read: domain name - IP address)
HTTP GET requests for the initial malware DLL
18 examples of the initial malware DLL, all installers for IcedID (Read: SHA256 hash file name)
Traffic from a successful IcedID infection on a Windows 7 host
Malware and artifacts from the IcedID infection
I normally run malware in a Windows 10 environment, but when testing these Word docs, I was unable to generate a full infection chain until I used a Windows 7 host.
This is a good reminder of how Windows 10 provide a more secure environment compared to Windows 7. People who follow best security practices while running the latest version of Windows are unlikely to get infected from this malware. However, we continue to see this and other campaigns on a daily basis. So this type of distribution apparently remains profitable for the criminals behind the malware.
A pcap of the infection traffic and malware samples for today's diary can be found here.
Jul 15th 2020
|Thread locked Subscribe||
Jul 15th 2020
2 years ago