Threat Advisory: New IcedID Trojan Campaign

Aaron Goldstein
Brent Murphy
November 17, 2022

On November 17, 2022 Todyl’s MXDR team observed new infections from a campaign that included the IcedID Trojan, first discovered in 2017 by IBM X-Force[1]. This new activity targets users in the US with IRS notifications and file names such as IRS_Form_11-17-2022_16-48-39.exe. These infections differ from the Emotet activity seen by Proofpoint[2] in recent weeks because the actor used a re-registered parked domain to host the malware.

Newly registered domain

The threat actor re-registered the domain name www-irs-gov[.]com on 11-17-2022. The domain appears to have been registered and re-registered with several registrars since 2015:

Figure 1

At the time of writing, the domain is associated with the IP 80[.]66[.]64[.]54, a web server that has several domains associated with it that have been created in and first seen in the last week. Based on the domains and subdomains, the actor seems to be attacking Australian targets as well.

Executable behavior

Upon running, the executable performs a memory injection into an unbacked executable section and utilizes rundll32.exe to load a dropped dll (Abuyafpt.dll) that creates a scheduled task via svchost.exe. Multiple .tmp files are then dropped in the temp folder and it is observed that dllhost.exe launches cmd.exe that opens outlook.exe.

  • process.threat.Ext.start_address_module: "C:\Users\{users}\Downloads\IRS_Forms_11-17-2022_16-48.39.exe"
  • Target.process.threat.Ext.start_address_module: "Unbacked"
  • process.command_line: "cmd.exe /c start "" outlook.exe"
  • process.parent.command_line: "C:\Windows\system32\svchost.exe - k netsvcs - p -s Schedule"
  • process.command_line: "rundll32.exe "C:\Users\{user}\AppData\Roaming\User-1\User-1\opyacn.dll",#1 - damuib="DebateAlcohol\license.dat""
Figure 2

Detection mechanism(s)

The Todyl Security Platform’s Endpoint Security (EDR + NGAV) and Managed Cloud SIEM capabilities utilized several detection methods including:

  • Memory Threat Detection: Shellcode Injection
  • YARA Signatures for the IcedID Malware
  • Malware Detection
  • Unusual Parent Process for cmd.exe
  • Suspicious Execution via Scheduled Task

Activity such as this illustrates the need for a comprehensive security platform that not only looks at the endpoint, but also pulls in correlation data to a SIEM from Network, DNS, and Proxy, among others.

Figure 3

Indicators of compromise

Associated with malware:

  • www-irs-gov[.]com
  • 80[.]66[.]64[.]54
  • IRS_Form_11-17-202_16-48-39.exe - e5af30f751cb20f72b4a127d2bb075477659148ed8af047b97f4263d46bc132
  • barrelx64.tmp - 2374f26dfa20f1697f089d017e3d5f2138f07c240e35b358ce71f6d99c2f2ea3
  • Abuyafpt.dll - a3ca4733682bc3e5a5b28f6815b5d13375a7ddaead45654b23f9bc1466f914b8
  • opyacn.dll - 19c772133e924c89c9a149cdc697226fc8697f3bbf839df5f8c135aab0b5cf85
  • $RWW6XP7.exe - e5af30f751cb20f72b4a127d2bb075477659148ed8af047b97f4263d46bc1328
  • C:\Users\{user}\AppData\Roaming\user-1\Abuyafpt.dll
  • C:\Users\{user}\AppData\Roaming\DebateAlcohol\license.dat

Associated with threat actor infrastructure:

  • www-irs[.]com
  • sdr-nb[.]com
  • wwww-dlscord[.]com
  • trackitem[.]link
  • moralaz[.]top
  • acridpanel[.]com
  • dpd-trackit[.]uk
  • ksd-ir[.]com
  • thm-ve[.]com
  • servicesaustralia[.]gove[.]au[.]thm-ve[.]com
  • dpd-trackit[.]link
  • www[.]servicesaustralia[.]au[.]csk-io[.]com
  • servicesaustralia[.]gov[.]au[.]thm-ve[.]com
  • csk-io[.]com
  • gov[.]au[.]csk-io[.]com
  • au.csk-io[.]com

Update: November 18, 2022

The Todyl MXDR & Adversary Threat Intelligence (ATI) teams continue to monitor the situation with the IcedID campaign. After examining the Portable Executable (PE), we were able to find other indicators associated with the campaign: asiksliopakt[.]com.

PE Details

The file shows as a PDF if the end-user is hiding file extensions, which is default in Windows, thereby tricking the user into thinking they are opening a PDF as opposed to running a malicious binary.

Figure 4

Looking at the strings, we can tell the file is packed. Using our Endpoint Security solution, we can essentially unpack it by viewing the compressed bytes from the shellcode injection alert.

Figure 5

Copying the bytes into CyberChef, we can create a recipe to decompress the bytes.

Figure 6

After decompressing the bytes, we can see the MZ header that indicates the PE file type. We then saved the decompressed file as iced.dat and ran it through Elastic's IcedID extractor tool [3].

Figure 7

This provides the threat actor's campaign ID, domain, and XOR key:

"campaign_id":181658900

"domains": "asiksliopakt.com"

"family": "IcedID",

"key": "b5645e53e9157e3dd62aaa16936b97d1e8e8f80991f7bcf6ad1cd7287dcd5505"

Todyl's layered protection with our Threat Intelligence feeds has proactively blocked this indicator for partners. Additionally, we added all indicators we identified to our blocklist.

Figure 8

The actor seems to have multiple campaigns targeting different geographic locations as evidenced by the graph below:

Figure 9

Timeline of events

Below is a timeline of events we've observed associated with this threat actor:

Figure 10

Since this is a fluid, developing campaign, we will continue to update this blog as we acquire and confirm additional information.

Key takeaways

  • Defense-in-depth is key. Only one of the domains had a valid public certificate. Todyl's SASE Proxy with SSL Inspection would block communication by default for traffic using self-signed certificates. SSL inspection is paramount, blocking self-signed certificates will mitigate some threats and cause actors to go after low hanging fruit.
  • The threat actor used a wide variety of hosting across multiple continents to potentially evade geographic network level controls.
  • The threat actor is demonstrating an elevated level of sophistication and operational capabilities as indicated by nightly builds to change hashes and avoid detection.
  • Companies need a holistic solution to get full protection from threats, simply focusing on Endpoint or Network and vice versa is not enough to detect and respond to evolving threats.
  • What's old is new again, threat actors will use parked domain names and aged out threat indicators to launch new campaigns, causing red herrings and threat teams to go "we've seen this before"
  • Actors who go "dormant" may just be planning their next move

Additional IoCs

Attributed to binary

  • asiksliopakt[.]com

Associated with threat actor

  • dpd.trackitem[.]link
  • supp0rtaanmeldisc[.]com
  • www-discord[.]top
  • linesoffice[.]com
  • siirireevs[.]su
  • adslstickersi[.]world
  • atweeeswaadesw[.]com
  • zasxdcfvgbhnjmkazsxdcfvgbhnjmk[.]xyz
  • yuaowpa[.]ru
  • mosxinale[.]top

References

  1. IcedID Banking Trojan Redirects Users to Fake Sites, IBM Reports | eWeek
  2. A Comprehensive Look at Emotet's Fall 2022 Return | Proofpoint US
  3. ICEDID Configuration Extractor | Elastic
Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Understanding Visual Basic for Applications (VBA) Macro Attacks
Understanding Living-off-the-Land binaries and scripts (LOLBAS)
What is DNS Tunneling?

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.