On November 17, 2022 Todyl’s MXDR team observed new infections from a campaign that included the IcedID Trojan, first discovered in 2017 by IBM X-Force [1]. This new activity targets users in the US with IRS notifications and file names such as IRS_Form_11-17-2022_16-48-39.exe. These infections differ from the Emotet activity seen by Proofpoint [2] in recent weeks because the actor used a re-registered parked domain to host the malware.
The threat actor re-registered the domain name www-irs-gov[.]com on 11-17-2022. The domain appears to have been registered and re-registered with several registrars since 2015:
At the time of writing, the domain is associated with the IP 80[.]66[.]64[.]54, a web server that has several domains associated with it that have been created in and first seen in the last week. Based on the domains and subdomains, the actor seems to be attacking Australian targets as well.
Upon running, the executable performs a memory injection into an unbacked executable section and utilizes rundll32.exe to load a dropped dll (Abuyafpt.dll) that creates a scheduled task via svchost.exe. Multiple .tmp files are then dropped in the temp folder and it is observed that dllhost.exe launches cmd.exe that opens outlook.exe.
C:\Users\{users}\Downloads\IRS_Forms_11-17-2022_16-48.39.exe
"Unbacked
"cmd.exe /c start "" outlook.exe
"C:\Windows\system32\svchost.exe - k netsvcs - p -s Schedule
"rundll32.exe "C:\Users\{user}\AppData\Roaming\User-1\User-1\opyacn.dll",#1 - damuib="DebateAlcohol\license.dat"
"
The Todyl Security Platform’s Endpoint Security (EDR + NGAV) and Managed Cloud SIEM capabilities utilized several detection methods including:
Activity such as this illustrates the need for a comprehensive security platform that not only looks at the endpoint, but also pulls in correlation data to a SIEM from Network, DNS, and Proxy, among others.
Associated with Malware:
www-irs-gov[.]com
80[.]66[.]64[.]54
IRS_Form_11-17-202_16-48-39.exe - e5af30f751cb20f72b4a127d2bb075477659148ed8af047b97f4263d46bc132
barrelx64.tmp - 2374f26dfa20f1697f089d017e3d5f2138f07c240e35b358ce71f6d99c2f2ea3
Abuyafpt.dll - a3ca4733682bc3e5a5b28f6815b5d13375a7ddaead45654b23f9bc1466f914b8
opyacn.dll - 19c772133e924c89c9a149cdc697226fc8697f3bbf839df5f8c135aab0b5cf85
$RWW6XP7.exe - e5af30f751cb20f72b4a127d2bb075477659148ed8af047b97f4263d46bc1328
C:\Users\{user}\AppData\Roaming\user-1\Abuyafpt.dll
C:\Users\{user}\AppData\Roaming\DebateAlcohol\license.dat
Associated with Threat Actor Infrastructure:
www-irs[.]com
sdr-nb[.]com
wwww-dlscord[.]com
trackitem[.]link
moralaz[.]top
acridpanel[.]com
dpd-trackit[.]uk
ksd-ir[.]com
thm-ve[.]com
servicesaustralia[.]gove[.]au[.]thm-ve[.]com
dpd-trackit[.]link
www[.]servicesaustralia[.]au[.]csk-io[.]com
servicesaustralia[.]gov[.]au[.]thm-ve[.]com
csk-io[.]com
gov[.]au[.]csk-io[.]com
au.csk-io[.]com
The Todyl MXDR & Adversary Threat Intelligence (ATI) teams continue to monitor the situation with the IcedID campaign. After examining the Portable Executable (PE), we were able to find other indicators associated with the campaign: asiksliopakt[.]com.
The file shows as a PDF if the end-user is hiding file extensions, which is default in Windows, thereby tricking the user into thinking they are opening a PDF as opposed to running a malicious binary.
Looking at the strings, we can tell the file is packed. Using our Endpoint Security solution, we can essentially unpack it by viewing the compressed bytes from the shellcode injection alert.