On November 17, 2022 Todyl’s MXDR team observed new infections from a campaign that included the IcedID Trojan, first discovered in 2017 by IBM X-Force. This new activity targets users in the US with IRS notifications and file names such as IRS_Form_11-17-2022_16-48-39.exe. These infections differ from the Emotet activity seen by Proofpoint in recent weeks because the actor used a re-registered parked domain to host the malware.
Newly registered domain
The threat actor re-registered the domain name www-irs-gov[.]com on 11-17-2022. The domain appears to have been registered and re-registered with several registrars since 2015:
At the time of writing, the domain is associated with the IP 80[.]66[.]64[.]54, a web server that has several domains associated with it that have been created in and first seen in the last week. Based on the domains and subdomains, the actor seems to be attacking Australian targets as well.
Upon running, the executable performs a memory injection into an unbacked executable section and utilizes rundll32.exe to load a dropped dll (Abuyafpt.dll) that creates a scheduled task via svchost.exe. Multiple .tmp files are then dropped in the temp folder and it is observed that dllhost.exe launches cmd.exe that opens outlook.exe.
Activity such as this illustrates the need for a comprehensive security platform that not only looks at the endpoint, but also pulls in correlation data to a SIEM from Network, DNS, and Proxy, among others.
The Todyl MXDR & Adversary Threat Intelligence (ATI) teams continue to monitor the situation with the IcedID campaign. After examining the Portable Executable (PE), we were able to find other indicators associated with the campaign: asiksliopakt[.]com.
The file shows as a PDF if the end-user is hiding file extensions, which is default in Windows, thereby tricking the user into thinking they are opening a PDF as opposed to running a malicious binary.
Looking at the strings, we can tell the file is packed. Using our Endpoint Security solution, we can essentially unpack it by viewing the compressed bytes from the shellcode injection alert.
Copying the bytes into CyberChef, we can create a recipe to decompress the bytes.
After decompressing the bytes, we can see the MZ header that indicates the PE file type. We then saved the decompressed file as iced.dat and ran it through Elastic's IcedID extractor tool .
This provides the threat actor's campaign ID, domain, and XOR key:
Todyl's layered protection with our Threat Intelligence feeds has proactively blocked this indicator for partners. Additionally, we added all indicators we identified to our blocklist.
The actor seems to have multiple campaigns targeting different geographic locations as evidenced by the graph below:
Timeline of events
Below is a timeline of events we've observed associated with this threat actor:
Since this is a fluid, developing campaign, we will continue to update this blog as we acquire and confirm additional information.
Defense-in-depth is key. Only one of the domains had a valid public certificate. Todyl's SASE Proxy with SSL Inspection would block communication by default for traffic using self-signed certificates. SSL inspection is paramount, blocking self-signed certificates will mitigate some threats and cause actors to go after low hanging fruit.
The threat actor used a wide variety of hosting across multiple continents to potentially evade geographic network level controls.
The threat actor is demonstrating an elevated level of sophistication and operational capabilities as indicated by nightly builds to change hashes and avoid detection.
Companies need a holistic solution to get full protection from threats, simply focusing on Endpoint or Network and vice versa is not enough to detect and respond to evolving threats.
What's old is new again, threat actors will use parked domain names and aged out threat indicators to launch new campaigns, causing red herrings and threat teams to go "we've seen this before"
Actors who go "dormant" may just be planning their next move