Blog

TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU)

IcedID Malware Shifts Its Delivery Strategy

BY eSentire Threat Response Unit (TRU)

January 31, 2023 | 7 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

IcedID first emerged in 2017 as a capable, widely observed banking trojan. Beginning in 2020, IcedID was identified as a precursor to ransomware attacks such as Egregor, Maze and Conti and has historically utilized email as its delivery vector.

In December 2022, TRU began observing IcedID infections that were traced to payloads downloaded by users from the Internet. This observation coincided with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023 (Figure 1).

Figure 1 Disrupted IcedID infections between January 2022 and January 2023

The activity in Q4 2022 was a mixture of email and drive-by infections. However, since mid-late December 2022, observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.

Google Search Ad Abuse

Malicious Google Search Ads are nothing new, but TRU has observed an increase in their use to deliver information stealing malware and IcedID in 2022 and 2023. For IcedID specifically, TRU has observed malicious ads targeting applications such as Slack, Docker, TeamViewer, Microsoft Teams, Basecamp and Adobe Reader (among others), as seen in Figure 2.

Figure 2 Google Search Ad masquerading as chat software Slack.

Search ads utilize the auction-based Pay-Per-Click (PPC) model. Advertisers can enter a maximum bid for certain search keywords to display their ad so long as their bid is more than another advertiser’s bid. Additionally, Ads Keyword Planner, a free tool, provides an estimate for top of page bids where an advertiser can ensure their ad is shown at the top of the search results for specific keywords (usually at a premium).

For example, as of January 2023, one would need to place a maximum bid of $4.30 per click to have an ad displayed at the top of a search for “slack download”. Therefore, a top of page ad bid for 1000 clicks could cost between $1330 and $4300 USD. This cost is unlikely to be a significant barrier to threat actors who are likely using stolen payment data.

Keyword Currency Avg. monthly searches 3-month change YoY change Competition Competition (indexed value) Top of page bid (low range) Top of page bid (high range)
slack download USD 135,000 -33% 0% Low 3 1.33 4.3
Keyword slack download
Currency USD
Avg. monthly searches 135,000
3-month change -33%
YoY change 0%
Competition Low
Competition (indexed value) 3
Top of page bid (low range) 1.33
Top of page bid (high range) 4.3

Abusing search ads also provides some degree of curation in terms of ideal targets. This is reflected by both the keywords targeted (primarily software used in corporate environments) and audience segments, which includes detailed demographics, interests, intents and other attributes estimated by Google (Figure 3).

Figure 3 Audience configuration options in Google Ads.

Google does use a review process for new ads to ensure compliance with their ad policy, including malicious software. It’s not immediately clear how threat actors are circumventing these compliance checks.

Cloaking is a common tactic used to hide malicious content from all but the intended victim. An example of traffic redirection can be seen in Figure 2 above, where slackapp[.]tech is the ad link, but the final content is hosted on wvwslack[.]top. Another example can be seen in Figures 4 and 5 below, where a download page impersonating Docker leads to the legitimate Docker binary. However, in a subsequent review, the page leads to an IcedID payload host on Google FireBase storage.

Figure 4 A malicious webpage masquerading as Docker’s download page. In this instance, it served the legitimate docker installation file.
Figure 5 The website from Figure 4 on subsequent visit delivering IcedID payload via Google Firebase.

IcedID to Cobalt Strike Handoff

In mid-January 2023, a customer endpoint became infected with IcedID originating from a website masquerading as Adobe Reader. The victim arrived on the website (vwv-adobe[.]top) from clicking a Google Search Ad for Adobe software (Figure 6).

Figure 6 IcedID download page masquerading as Adobe Reader. The payload was hosted on Google's Firebase service.

The setup file (6718a804f5d5064fa3b918d844fd727d) is padded to inflate its size to over 700MB to inhibit automated inspection. When executed, IcedID executes an initial round of reconnaissance commands and initiates a check-in with the C2 (qsertopinajil[.]com), as seen in Figure 7.

Figure 7 Endpoint telemetry showing IcedID's initial execution process behavior.

The living-off-the-land reconnaissance commands used are not indifferent than what TRU has observed with malware whose objective is delivering footholds to hands-on-keyboard adversaries. The output from these commands provides a quick summary of the foothold’s worth and is likely used to triage and prioritize the most valuable footholds.

WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
ipconfig /all
systeminfo
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
net group "Domain Admins" /domain

Within 30 minutes, IcedID attempted to execute a PowerShell script (ozye.txt) using fodhelper.exe to bypass UAC but was blocked from doing so.

Our team of 24/7 SOC Cyber Analysts retrieved the PowerShell script from the system and determined it contained a Cobalt Strike Beacon loader (f36c8d12db66730f3cf94d28331b90ac) configured to spawn and inject into a child PowerShell process. The beacon was configured to communicate with poasnm[.]com using HTTP and spawn using regsvr32.exe.

Our SOC identified suspicious reconnaissance activity on a customer endpoint and immediately notified the customer while an investigation took place. The case was escalated when the blocked Cobalt Strike activity occurred and the system was immediately contained.

What can you learn from this TRU positive?

Recommendations from our Threat Response Unit (TRU):

General Guidance for Users:

Guidance for IT:

Indicators of Compromise

Indicator Note
www-goto-com[.]topIcedID Download Page
www-onenote-us[.]top
www-fortinet-com[.]top
www-irsform-com[.]top
www-discord-us[.]top
ww-citrixcom[.]top
wvw-basecamp-us[.]com
wvw-docker-us[.]com
wvw-microsofteams[.]top
wvw-mlcrosofteams[.]top
vwv-adobe[.]top
mlcrosofteams[.]top
www-docker[.]top
www-teamviewer[.]top
wvw-slack-us[.]com
wvwslack[.]top
wvw-teanviwer-us[.]com
wvw-webex-us[.]com

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire