# IcedID: Defrosting a Recent Campaign #### Illustrating evolving tactics and shared infrastructure ###### Colin Cowie, Threat Intelligence Analyst Paul Jaramillo, Director of Threat Hunting & Intelligence FIRST Technical Colloquium - April 2023 TLP:GREEN ----- ----- ----- # Overview 4 TLP:GREEN ----- ###### Targeting Initially used MiTM technique to steal banking credentials, in recent years, adversaries have been using IcedID to gain access to targeted networks, often leading to ransomware. North America, Europe primarily, but also globally ###### Distributors § Emotet (TA542) § Shathak (TA551) § TR (TA577) § Collaborators § Trickbot & Conti ###### Targeting ###### Distributors ###### Key Traits ----- # Historical Campaigns 6 TLP:GREEN ----- ### IcedID Origin Story (2010-2016) ###### Gozi developer, Nikita Kizmin, founder of 76 Service arrested, Pony loader dropping Gozi 2.0 launches shortly after Neverquest for 6-month Neverquest/Vawtrak campaign (v2.2 - v2.13) established with Oleg Tolstykh "vorVzakon" and "NSD" NOV OCT JUN DEC OCT APR 2010 2012 2012 2014 2015 2016 ###### Neverquest pivots to Project Blitzkrieg kicks off Hancitor and H1N1 for with updated Gozi, distribution (v2.14 - BackConnect and 64-bit Major release 0x38, extensive v2.88) browser support collaboration with Dyre, both dropping each other's malware 7 TLP:GREEN ----- ### IcedID Timeline (2017-2019) ###### Stanislav Lisov "Blackf" arrested, Neverquest ceases operations Major update to mirror Trickbot's process injection Major update cuts file size techniques though remote modules access on demand just like Trickbot JAN APR AUG FEB APR SEP 2017 2017 2018 2019 2019 2019 ###### IcedID adopts IcedID first observed stenography technique being dropped by Emotet, with the PhotoLoader using POSTs and GETs IcedID campaign C610DF9A campaign with URI parameters drops Trickbot, marks pivot from banking trojan to LaaS 8 TLP:GREEN ----- ### IcedID Timeline (2020-2021) ###### Shathak/TA551 shifts payload from Valak to IcedID. IcedID observed "Stolen Images" campaign dropping MAZE ransomware leveraging contact forms (UNC2198) TR(TA577) now delivering and hosting on new IcedID GZipLoader sites.google[.]com, leading where license.dat config is to Conti loaded is decrypted into memory JUL OCT FEB MAR APR JUL 2020 2020 2021 2021 2021 2021 ###### IcedID dropping IcedID sells access to MountLocker/XingLocker Egregor ransomware after previously providing (UNC2198) IcedID delivers access in very access to Conti Group large REvil campaign 9 TLP:GREEN ----- ### IcedID Timeline (2022-Today) ###### Distribution of IcedID pivots to email threat hijacking using ISO First time IcedID uses images containing LNK & DLL files distribution via Malvertizing IcedID deployed against with Google PPC Ukranian government organizations FEB FEB APR NOV DEC FEB 2022 2022 2022 2022 2022 2023 ###### IcedID campaign using *Conti Leaks* reveals size OneNote files leverages a and scope of collaboration distinctly forked version (Stern/Leo) and code IcedID Lite version first observed of the loader overlap with IcedID and being delivered by Emotet MountLocker family (TA542) 10 TLP:GREEN ----- # Initial Access via Malvertising 11 TLP:GREEN ----- ----- ----- ----- ----- 16 TLP:GREEN ----- # OneNote Adoption 17 TLP:GREEN ----- ----- ----- ----- # Infrastructure Analysis 21 TLP:GREEN ----- |TL § .top § .club § .xyz § .space § .website § .uno § .buzz § .pw § .bid § .click § .by|Ds § .online § .com § .site § .download § .cyou § .cloud § .best § .rocks § .casa § .fun § .lol| |---|---| ###### Hosting § **Digital Ocean (2020-2022)** § **M247 (2021,2022)** § BLNWX (2023) § DEDIPATH-LLC (2023) § EDIS-AS-EU (2023) § COMBAHTON (2021) § HZ Hosting (2022) § Neterra Ltd. (2021) § Cloudflare (2021) § THEFIRST-AS (2020-2022) ###### Registrars § Eranet International (2018-2021) § **Porkbun (2020-2022)** § Namesilo (2020-2021) § **Tucows (2021-2023)** § Nicenic Int (2022-2023) § **.top** § **.club** § **.xyz** § **.space** § **.website** § .uno § .buzz § .pw § .bid § .click § .by ###### Hosting ###### TLDs ###### TLDs ----- ###### "CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd" ----- ----- # Post Exploitation 25 TLP:GREEN ----- ----- ----- ----- ----- # Detection & Takeaways 30 TLP:GREEN ----- ----- |cedID:|ATT&CK|Col3| |---|---|---| |||| |Execution § CobaltStrike deployed via injecting into winlogon.exe § Exports DllRegisterServer() function § Execution guardrails on the payload servers § In 2023, code signed by Digi Corp Media LLC|Execution|| |Col1|Col2|Col3| |---|---|---| |Persistence § Writes HKCU Run & HKLM RunOnce Keys § Scheduled Task at logon and every hour § Payload stored in %ProgramData% in a GUID folder § ~/AppData/Local holds the random *.dat config file|Persistence|| |Col1|Col2|Col3| |---|---|---| |Defense Evasion § VM detection of popular hypervisors § Proxy execution w/ rundll32, regsvr32, & mshta § UAC Bypass via UAC-TokenMagic & Invoke- SluiBypass § Blends in benign network traffic § Kills Windows Defender, adds key to exclude .exe and .dll files|Defense Evasion|| |Col1|Col2|Col3| |---|---|---| |Command & Control § Uses cookie parameters for victim information § _ga is processor § _gat is windows version § _gid is mac address § Body of response encrypted with RC4 § TLS makes use of WINHTTP.dll § Config file is encrypted with lzmat|Command & Control|| ----- ----- ----- ###### Timeline 2010-2016 [https://www.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak/](https://www.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak/) [https://www.justice.gov/usao-sdny/pr/nikita-kuzmin-creator-gozi-virus-sentenced-manhattan-federal-court](https://www.justice.gov/usao-sdny/pr/nikita-kuzmin-creator-gozi-virus-sentenced-manhattan-federal-court) [https://www.sentinelone.com/labs/icedid-botnet-the-iceman-goes-phishing-for-us-tax-returns/](https://www.sentinelone.com/labs/icedid-botnet-the-iceman-goes-phishing-for-us-tax-returns/) [https://www.secureworks.com/research/dyre-banking-trojan](https://www.secureworks.com/research/dyre-banking-trojan) [https://www.slideshare.net/nel08221/networkinsightsintovawtrakv2](https://www.slideshare.net/nel08221/networkinsightsintovawtrakv2) ###### Timeline 2017-2019 [https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html](https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html) [https://thehackernews.com/2017/01/neverquest-fbi-hacker.html](https://thehackernews.com/2017/01/neverquest-fbi-hacker.html) [https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us](https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us) ###### Timeline 2020-2021 [https://www.sentinelone.com/labs/icedid-botnet-the-iceman-goes-phishing-for-us-tax-returns/](https://www.sentinelone.com/labs/icedid-botnet-the-iceman-goes-phishing-for-us-tax-returns/) [https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back](https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back) [https://unit42.paloaltonetworks.com/ta551-shathak-icedid/](https://unit42.paloaltonetworks.com/ta551-shathak-icedid/) [https://www.mandiant.com/resources/blog/melting-unc2198-icedid-to-ransomware-operations](https://www.mandiant.com/resources/blog/melting-unc2198-icedid-to-ransomware-operations) [https://www.binarydefense.com/icedid-gziploader-analysis/](https://www.binarydefense.com/icedid-gziploader-analysis/) [https://www.silentpush.com/blog/icedid-command-and-control-infrastructure](https://www.silentpush.com/blog/icedid-command-and-control-infrastructure) [https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf](https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf) [https://www.microsoft.com/en-us/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/](https://www.microsoft.com/en-us/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/) ###### Timeline 2022 - Today [https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships](https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships) [https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid](https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid) ----- ###### IcedID: Backconnect [https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol](https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol) [https://www.group-ib.com/blog/icedid/](https://www.group-ib.com/blog/icedid/) [https://github.com/felixweyne/imaginaryC2/tree/master/examples/use-case-7-bokbot_icedid](https://github.com/felixweyne/imaginaryC2/tree/master/examples/use-case-7-bokbot_icedid) ###### Detections [https://blog.reconinfosec.com/an-encounter-with-ta551-shathak](https://blog.reconinfosec.com/an-encounter-with-ta551-shathak) [https://github.com/telekom-security/malware_analysis/blob/main/icedid/icedid_20210507.yar](https://github.com/telekom-security/malware_analysis/blob/main/icedid/icedid_20210507.yar) [https://github.com/telekom-security/malware_analysis/blob/main/icedid/compute_botid_and_regkeys.py](https://github.com/telekom-security/malware_analysis/blob/main/icedid/compute_botid_and_regkeys.py) [https://blogs.opentext.com/dissecting-icedid-behavior-on-an-infected-endpoint/](https://blogs.opentext.com/dissecting-icedid-behavior-on-an-infected-endpoint/) [https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_IcedID.yar](https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_IcedID.yar) [https://github.com/colincowie/100DaysOfYara_2023](https://github.com/colincowie/100DaysOfYara_2023) -----