More IcedID

Published: 2022-10-05
Last Updated: 2022-10-05 12:29:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

[This is a guest diary we received from Gunter Der]


While the recommendations for Exchange on Premise, as a workaround for the “ProxyNotShell” vulnerabilities, were updated [1] and Exchange online customers, still relying on basic auth, are targeted by password spray attacks [2], I had another look at recent IcedID campaigns using PNG files to hide their malicious payload. 

As Didier Stevens pointed out in his diary last week, these PNGs are not just decoy images [3]. The initial html page (eg. SHA256 0ab12d65800f3e7e6089fe3c534911f0b42d9175bcf955e937edd39e8bb2c13a) [4] has 2 base64 encoded sections, one is used as background gif to trick users in decrypting the dropped zip, the largest base64 section, with the plain text password provided at the end of the html.
The zip contains an .iso which in its turn contains a 64bit dll, the PNG and a .lnk shortcut gluing it all together:
 

C:\Windows\System32\cmd.exe /c start 73febb25-a241-41d6-8736-4c26ea6932b3.png && start ru^n^d^l^l3^2 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit


The initial access broker behind this trickery is known to hide RC4 ciphered shellcode in PNG files for a few years now so the eventual C2 (in example above triskawilko[.]com) gets detected and picked up quickly [5]. The first network activity, the DNS lookup of C2, however is delayed to evade standard timeout on some sandboxes. 

Much more PNG steganography, shellcode analysis is being covered in the formidable FOR710 Reverse-Engineering Malware: Advanced Code Analysis training.

[1]https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers
https://aka.ms/eomtv2
https://twitter.com/wdormann/status/1576922677675102208
[2]https://techcommunity.microsoft.com/t5/exchange-team-blog/use-authentication-policies-to-fight-password-spray-attacks/ba-p/3643487
[3] https://isc.sans.edu/forums/diary/PNG%20Analysis/29100/
[4] https://bazaar.abuse.ch/sample/0ab12d65800f3e7e6089fe3c534911f0b42d9175bcf955e937edd39e8bb2c13a/
[5] https://www.virustotal.com/gui/url/c3313f03bcd07c86ad3eb18b39d5e4dc7e61d685e2cf35eefc16524a9f112c6f

Keywords:
0 comment(s)

Comments


Diary Archives