On November 17, 2022 Todyl’s MXDR team observed new infections from a campaign that included the IcedID Trojan, first discovered in 2017 by IBM X-Force [1]. This new activity targets users in the US with IRS notifications and file names such as IRS_Form_11-17-2022_16-48-39.exe. These infections differ from the Emotet activity seen by Proofpoint [2] in recent weeks because the actor used a re-registered parked domain to host the malware.
Newly Registered Domain
The threat actor re-registered the domain name www-irs-gov[.]com on 11-17-2022. The domain appears to have been registered and re-registered with several registrars since 2015:
At the time of writing, the domain is associated with the IP 80[.]66[.]64[.]54, a web server that has several domains associated with it that have been created in and first seen in the last week. Based on the domains and subdomains, the actor seems to be attacking Australian targets as well.
Executable Behavior
Upon running, the executable performs a memory injection into an unbacked executable section and utilizes rundll32.exe to load a dropped dll (Abuyafpt.dll) that creates a scheduled task via svchost.exe. Multiple .tmp files are then dropped in the temp folder and it is observed that dllhost.exe launches cmd.exe that opens outlook.exe.
- process.threat.Ext.start_address_module: "
C:\Users\{users}\Downloads\IRS_Forms_11-17-2022_16-48.39.exe" - Target.process.threat.Ext.start_address_module: "
Unbacked" - process.command_line: "
cmd.exe /c start "" outlook.exe" - process.parent.command_line: "
C:\Windows\system32\svchost.exe - k netsvcs - p -s Schedule" - process.command_line: "
rundll32.exe "C:\Users\{user}\AppData\Roaming\User-1\User-1\opyacn.dll",#1 - damuib="DebateAlcohol\license.dat""
Detection Mechanism(s)
The Todyl Security Platform’s Endpoint Security (EDR + NGAV) and Managed Cloud SIEM capabilities utilized several detection methods including:
- Memory Threat Detection: Shellcode Injection
- YARA Signatures for the IcedID Malware
- Malware Detection
- Unusual Parent Process for cmd.exe
- Suspicious Execution via Scheduled Task
Activity such as this illustrates the need for a comprehensive security platform that not only looks at the endpoint, but also pulls in correlation data to a SIEM from Network, DNS, and Proxy, among others.
Indicators of Compromise
Associated with Malware:
www-irs-gov[.]com80[.]66[.]64[.]54IRS_Form_11-17-202_16-48-39.exe - e5af30f751cb20f72b4a127d2bb075477659148ed8af047b97f4263d46bc132barrelx64.tmp - 2374f26dfa20f1697f089d017e3d5f2138f07c240e35b358ce71f6d99c2f2ea3Abuyafpt.dll - a3ca4733682bc3e5a5b28f6815b5d13375a7ddaead45654b23f9bc1466f914b8opyacn.dll - 19c772133e924c89c9a149cdc697226fc8697f3bbf839df5f8c135aab0b5cf85$RWW6XP7.exe - e5af30f751cb20f72b4a127d2bb075477659148ed8af047b97f4263d46bc1328C:\Users\{user}\AppData\Roaming\user-1\Abuyafpt.dllC:\Users\{user}\AppData\Roaming\DebateAlcohol\license.dat
Associated with Threat Actor Infrastructure:
www-irs[.]comsdr-nb[.]comwwww-dlscord[.]comtrackitem[.]linkmoralaz[.]topacridpanel[.]comdpd-trackit[.]ukksd-ir[.]comthm-ve[.]comservicesaustralia[.]gove[.]au[.]thm-ve[.]comdpd-trackit[.]linkwww[.]servicesaustralia[.]au[.]csk-io[.]comservicesaustralia[.]gov[.]au[.]thm-ve[.]comcsk-io[.]comgov[.]au[.]csk-io[.]comau.csk-io[.]com
Update: November 18, 2022
The Todyl MXDR & Adversary Threat Intelligence (ATI) teams continue to monitor the situation with the IcedID campaign. After examining the Portable Executable (PE), we were able to find other indicators associated with the campaign: asiksliopakt[.]com.
PE Details
The file shows as a PDF if the end-user is hiding file extensions, which is default in Windows, thereby tricking the user into thinking they are opening a PDF as opposed to running a malicious binary.
Looking at the strings, we can tell the file is packed. Using our Endpoint Security solution, we can essentially unpack it by viewing the compressed bytes from the shellcode injection alert.