Last Updated: 2023-04-12 06:34:56 UTC
by Brad Duncan (Version: 1)
This week, we've seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitally-signed using a certificate issued by SSL.com. The EXE file is designed to install IcedID malware on a vulnerable Windows host.
Today's diary reviews an IcedID infection generated on Tuesday 2023-04-11.
Images from the infection
Files From an Infected Windows Host
- File size: 27,273 bytes
- File name: INV_Unpaid_683_April.pdf
- File description: PDF file attached to thread-hijacked email distributing IcedID
- File size: 58,031 bytes
- File name: Docs_Inv_April_11_450.zip
- File location: hxxps://firebasestorage.googleapis[.]com/v0/b/logical-waters-377622.appspot.com/o/MCRERY0iJA%2FDocs_Inv_April_11_450.zip?alt=media&token=799ca8a7-44ce-44e8-b93d-a346faaf0ea3
- File description: password-protected zip archive downloaded from link in above PDF file
- Password: 572
- File size: 131,168 bytes
- File name: Docs_Inv_April_11_450.exe
- File description: Extracted from the above zip archive, a 64-bit, digitally-signed EXE to install IcedID
- File size: 647,389 bytes
- File description: Gzip binary from shoterqana[.]com retreived by above EXE
- File size: 354,282 bytes
- File location: C:\Users\[username]\AppData\Roaming\[random directory name]\license.dat
- File description: data binary used to run persistent IcedID DLL
- File size: 292,352 bytes
- File location: C:\Users\[username]\AppData\[random directory path under Local or Roaming]\[random name].dll
- File description: Persistent IcedID DLL (64-bit DLL)
- Run method: rundll32.exe [file name],init --ashego="[path to license.dat]"
Traffic From an Infected Windows Host
Link from the PDF file:
Above URL redirected to:
Caused when running the extracted EXE, because the EXE was digitally signed using a certificate from SSL.com:
- Note: The above URL is not malicious, but it's an indicator for this particular infection chain.
Installer EXE for IcedID retrieves gzip binary:
- 172.86.75[.]64 port 80 - shoterqana[.]com - GET / HTTP/1.1
- 192.153.57[.]82 port 443 - villageskaier[.]com - HTTPS traffic
- 162.33.178[.]40 port 443 - deadwinston[.]com - HTTPS traffic
Running recent IcedID samples in a lab environment this week generated IcedID BackConnect traffic over 45.61.137[.]159 over TCP port 443 (reference) and 193.149.176[.]100, also using TCP port 443 (reference). 443 is a new TCP port for IcedID BackConnect traffic, which previously used TCP port 8080. These two IP addresses are good indicators of an on-going IcedID infection if you find traffic to these servers from your network.
brad [at] malware-traffic-analysis.net