{
	"id": "6ae1db39-eaac-44c6-95ff-5f2bee5c0329",
	"created_at": "2026-04-06T00:12:17.383569Z",
	"updated_at": "2026-04-10T03:20:43.60417Z",
	"deleted_at": null,
	"sha1_hash": "0f983bf74f8364dfbe8a79da2ee7dccdf65a12bc",
	"title": "Spoofed Invoice Used to Drop IcedID | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 635300,
	"plain_text": "Spoofed Invoice Used to Drop IcedID | FortiGuard Labs\r\nBy James Slaughter\r\nPublished: 2022-03-28 · Archived: 2026-04-05 16:08:26 UTC\r\nSpearphishing crafted with industry-specific terms derived from intelligence gathering techniques to trick a\r\nrecipient into opening a file is especially difficult to identify. This is especially true when an adversary has\r\nknowledge of how a business works and the processes that underpin it. Using this knowledge, a lure can be crafted\r\nthat takes advantage of these day-to-day processes – for example, settling the cost of a fuel transaction.\r\nFortiGuard Labs recently encountered such a scenario, where a fuel company in Kyiv, Ukraine received a\r\nspearphishing e-mail that contained an attached invoice—seemingly from another fuel provider—that was\r\nspoofed. The attachment is a zip file that contains the IcedID Trojan.\r\nIcedID has been observed as far back as 2017. Its primary function is to steal banking credentials and personal\r\ninformation. It is also capable of deploying additional malware from the same group or partner organizations.\r\nThis instance also uses an interesting deployment method. It uses the ISO format, which is mounted automatically\r\nas a disk in Windows. ISO files can also be used to create bootable CD-ROMs or install an operating system or\r\nvirtual machine. It also contains a LNK (shortcut file) used to launch a DLL (Dynamic-link Library).\r\nThis blog details the infection process and subsequent malware deployment by the threat actors behind IcedID.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Compromised machines are under the control of the threat actor\r\nSeverity Level: Medium\r\nThe Phishing E-mail\r\nThe e-mail originated from an IP address in Belize, at 179[.]60[.]150[.]96. It spoofs the originating e-mail address\r\nto appear to have been sent from another fuel provider in Ukraine. The e-mail contains both English and\r\nUkrainian elements and looks realistic given the mention of extra security measures regarding the attachment.\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nPage 1 of 7\n\nFigure 1. Phishing e-mail.\r\nAttached to the e-mail is a file named “invoice_15.zip”. Extracting the Zip file will drop “invoice_15.iso” and\r\nbegin the first phase of infection.\r\nISO\r\nWindows is capable of mounting iso files as external disks. Doing so will present the user with a shortcut called\r\n“document.” In most cases, the file extension will be hidden from the user, making it appear as an actual\r\ndocument. \r\nFigure 2. ISO file with contents hidden.\r\nWhen the full contents of the iso container are revealed, a DLL file can also be seen.\r\nFigure 3. Full contents of the ISO file.\r\nLNK\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nPage 2 of 7\n\nFigure 4. Shortcut details.\r\nAs seen in Figure 4, the shortcut file was created some time prior to the sending of the phishing e-mail.\r\nAdditionally, the highlighted area shows what will occur should the shortcut be clicked on by a user.\r\nIn this case, Regsvr32 is used to register “main.dll” with the Windows registry and launch the code contained\r\nwithin. This action begins the next phase of infection.\r\nDropper\r\n“main.dll” acts as a dropper for IcedID. Static analysis of the file reveals an interesting point.\r\nFigure 5. Example of strings embedded in “main.dll”\r\nWhat at appears at first glance to be an easy win for IOCs (Indicators of Compromise) because it contains a\r\ndomain and IP address, turns out to be slightly more complicated. \r\nhttps://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nPage 3 of 7\n\nFigure 6. Code represented in IDA Pro showing the information from Figure 5.\r\nIn comparing the area of code where the strings in Figure 5 are stored, we find that this area is not called by any\r\nfunctions within “main.dll”. To illustrate this, the right-hand side of the very first line in Figure 6 contains “Data\r\nXREF:”. This indicates that it is referenced elsewhere in the code. The strings from Figure 5, however, do not\r\ninclude this information, indicating they are not.\r\nBy investigating further, the story becomes even more interesting. This code appears in a StackOverflow question\r\nfrom approximately 10 years ago concerning an issue about downloading an image over HTTP\r\n(https://stackoverflow.com/questions/9389183/downloading-a-picture-with-http-get-only-downloads-a-small-part-of-it). It should be noted that there is no malicious intent with the content of that posting.\r\nThat it is now part of “main.dll” indicates it is a decoy for analysts in the hope the actual indicators won’t be\r\nblocked.\r\nFigure 7. Information gathering by IcedID.\r\nAs can be seen in Figure 7, once running, the malware uses several Windows command-line tools to obtain\r\ninformation about the local environment. These include capturing the local IP address (ipconfig), enumerating\r\ndomain trusts (nltest), and capturing a list of domain administrators (net group), among others.\r\nThe sample then tries to communicate outbound to a command and control (C2) server. There are multiple\r\naddresses the malware can connect to in the event one of the destinations becomes unavailable.\r\nFigure 8. Network communication.\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nPage 4 of 7\n\nFigure 9. HTTP GET request.\r\nIf a connection to a C2 server has been made, the malware then moves to ensure persistence. It installs a copy of\r\nitself in the user’s temp directory, “%APPDATA%\\local\\temp”.\r\nFigure 10. Dropping “Arur.exe” into the Temp directory.\r\nConclusion\r\nThreat actors that are knowledgeable of their targets are able to increase their chances of installing an implant\r\nwithin an organization. Based on our observations, the efforts used in this IcedID attack highlight the groups\r\nmethodical effort, as evidenced by their research of Ukraine's retail fuel industry. Additionally, the use of\r\nuncommon deployment methods (zipped ISO file) to establish a foothold—and ultimately gain persistence within\r\nan organization—reveals how crafty the threat actors are able to be to obtain unauthorized access.\r\nFortinet Protections\r\nAll IcedID samples mentioned in this blog are detected by the following (AV) signatures:\r\nW32/Kryptik.HOTN!tr\r\nW64/Kryptik.CXY!tr\r\nW64/Kryptik.CXY!tr\r\nW64/Kryptik.CXY!tr\r\nLNK/IceID.AW!tr\r\nW64/Kryptik.CXY!tr\r\nAll network based URI’s are blocked by the WebFiltering client.\r\nFortinet has multiple solutions designed to help train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nPage 5 of 7\n\nphishing attacks.\r\nIn addition to these protections, we suggest that organizations also have their end users go through our FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats that is designed to help\r\nend users learn how to identify and protect themselves from various types of phishing attacks.\r\nIOCs\r\nFilename SHA256\r\ninvoice_15.zip 83bd20009107e1f60479016046b80d473436d3883ad6989e5d42bc08e142b5bb \r\ninvoice_15.iso 3542d5179100a7644e0a747139d775dbc8d914245292209bc9038ad2413b3213 \r\ndocument.lnk a17e32b43f96c8db69c979865a8732f3784c7c42714197091866473bcfac8250\r\nmain.dll 698a0348c4bb8fffc806a1f915592b20193229568647807e88a39d2ab81cb4c2 \r\nArur.exe 283d5eea1f9fc34e351deacc25006fc1997566932fae44db4597c84f1f1f3a30 \r\nNetwork IOCs:\r\n160[.]153[.]32[.]99\r\n160[.]90[.]198[.]40\r\nyourgroceries[.]top\r\nssddds1ssd2[.]com\r\nip-160-153-32-99[.]ip[.]secureserver[.]net\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nPage 6 of 7\n\nThanks to Val Saengphaibul and Fred Gutierrez who helped contribute to this blog.\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id"
	],
	"report_names": [
		"spoofed-invoice-drops-iced-id"
	],
	"threat_actors": [],
	"ts_created_at": 1775434337,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0f983bf74f8364dfbe8a79da2ee7dccdf65a12bc.pdf",
		"text": "https://archive.orkl.eu/0f983bf74f8364dfbe8a79da2ee7dccdf65a12bc.txt",
		"img": "https://archive.orkl.eu/0f983bf74f8364dfbe8a79da2ee7dccdf65a12bc.jpg"
	}
}