# IcedID Stealer Man-in-the-browser Banking Trojan **[blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan](https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan)** December 2, 2020 ## Executive Summary IcedID stealer (Also known as BokBot) was first discovered at the end of 2017, believed to be a resurgence of the NeverQuest banking Trojan. It is a modular banking trojan that uses man-in-the-browser (MitB) attacks to steal banking credentials, payment card information and other financial data. The stealer possesses relatively sophisticated functionality and capabilities such as web injects, a large remote access trojan (RAT) arsenal and a VNC module for remote control. Additionally, the use of steganography to hide configuration data along with anti-VM detection and anti-debugging techniques complicate detection and analysis. IcedID’s typical range of targets includes the customers of banks and telecommunications organizations worldwide leading to impacts including brand abuse, funds theft and customer data breaches. Cyberint have recently observed an ongoing campaign targeting users in the APAC region with an apparent focus on the Philippines and Japan. The IcedID stealer is traditionally delivered by a malspam lure, with Microsoft Word attachments weaponized with malicious Macros, based on Emotet. While the majority of recently detected lure documents were written in English and targeted a wide range of users, localized campaigns have also been reported. One such recent example targeted users located in Japan with lure documents in Japanese, likely indicating that the threat actor behind this threat is relatively sophisticated and may focus on specific geographies as potential targets, adjusting their arsenal accordingly. ----- Whilst it is not possible to attribute IcedID to a specific group, past indications suggest a potential link to the following threat actors: Lunar Spider TA2101 ## Delivery As a generic malspam campaign that utilizes Emotet as the delivery mechanism, the lures are comprised from a generic subject (quotation/request/Document/report) being sent to the targeted user. The email contains an attached ZIP folder protected by a password provided within the email body. At the next stage, once the user extracts the document file from the ZIP folder, they will be requested to ‘Enable Content’ (Figure 1) within Microsoft Word, leading to malicious Macro code being executed whilst decoy content (Figure 2) is displayed. Figure 1 – Prompt to relax security controls ----- Figure 2 – Decoy document content Document metadata detected as Russian ----- Threat actor email address, used for the file creation Once executed, the macro will write a variety of files to the drive, used for the download and decryption of the latest IcedID trojan, including an up-to-date configuration file containing a list of target bank and telecommunication organizations. In some cases, this was observed as a DLL file, where in others it was a steganographically obfuscated PNG file (Figure 3). Figure 3 – PNG Configuration Payload Although surfaced in 2017, many iterations of this trojan have been well-investigated by numerous security researchers globally, but for the past year (circa January 2020), several new techniques were added in order to detect and evade sandboxes, and to generally hide the execution process taking place. ----- It was also noticed that the malware creates a new folder with a random name, where it saves a downloaded configuration in encrypted form (Figure 4). Figure 4 – Download directory Inside the %TEMP% folder, it drops some non-malicious helper elements: sqlite32.dll (that will be used for reading SQLite browser databases found in web browsers), and a certificate that will be used for intercepting traffic (Figure 5). Figure 5 – Temp directory ## Infection Once infected, the IcedID trojan, known as a banking Trojan, steals data related to banking transactions by injecting implants into browsers, API hooks and a ‘Man-in-the-Browser’ (MitB)[1] attack to manipulate visited webpages. As observed (Figure 6) in the memory of an infected host, the svchost process contains strings that reveal the configuration of these ‘web-injects’, that being modular HTML and JavaScript code elements that are injected into the webpage of a targeted brand to steal data. ----- Figure 6 – Web-inject strings found in memory Figure 7 – Mozilla Firefox Web-inject Figure 8 – Injected code snippet executed on the client side (Example code available via GitHub[2]) ----- The core bot that runs inside the memory of the svchost process observes other processes running on the system and injects implants into browsers, for example as seen in Mozilla Firefox (Figure 7). The IcedID module running inside the browser’s memory is responsible for applying the webinjects and installing malicious JavaScript into targeted webpages causing them to be executed on the client side (Figure 8). ## C2 The hooked scripts, loaded from modified browser DLLs, communicate with the main bot process residing inside the svchost process. The main bot coordinates the work of all the injected components and exfiltrates stolen data to the C2 server. In order to properly hide and encrypt its communication processes, all C2 communications are made over HTTPS using the trojan’s own certificate (Figure 9). ## Recommendations Notify customer care of the ongoing threat in case of funds loss. Cyberint recommends that customers educate their end-users and always check for unusual browser behaviors that may lead to account compromise or funds theft. Phishing awareness to the end-users is advised. Usage of a modern, updated AV solution is advised. MFA should be enabled on all of the end-user accounts. ## Indicators Of Compromise ### Targeted Brands/Organizations Based on strings extracted from IcedID samples, the following brands and/or organizations appear to be targeted: ``` Dollar Bank ``` ----- ``` eBay ``` ### IcedID Samples The following SHA256 hashes relate to recently observed IcedID malware samples: ----- ``` 6297e0fa6229c7f329f66227656bbf99d1329aaa48341c2f750c78f1937ac952 ``` ### Command & Control Infrastructure ----- The following command and control (C2) IP addresses have recently been observed as IcedID infrastructure: ``` 149.154.64.179 178.250.156.74 178.250.157.144 185.219.43.85 185.98.87.6 193.109.79.219 193.201.126.18 194.61.2.224 45.12.4.206 45.128.206.80 45.129.237.168 45.150.64.102 45.150.64.57 45.8.124.36 45.89.67.169 5.253.61.235 62.109.14.179 80.85.158.53 83.166.242.27 93.189.41.223 ``` References [1] https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-usessteganographic-payloads/ ## MITRE ATT&CK The following techniques have been observed in recent IcedID campaigns: **Technique** **Tactic** T1027 – Obfuscated Files or Information Defense Evasion T1027.002 – Software Packing Defense Evasion T1027.003 – Steganography Defense Evasion T1047 – Windows Management Instrumentation Execution T1053.005 – Scheduled Task/Job: Scheduled Task Execution, Persistence, Privilege Escalation ----- T1059.005 – Command and Scripting Interpreter: Visual Basic Execution T1069 – Permission Groups Discovery Discovery T1071.001 – Application Layer Protocol: Web Protocols Command & Control T1082 – System Information Discovery Discovery T1087.002 – Account Discovery: Domain Account Discovery T1105 – Ingress Tool Transfer Command & Control T1106 – Native API Execution T1137.001 – Office Application Startup: Office Template Macros Persistence T1185 – Man in the Browser Collection T1204.002 – User Execution: Malicious File Execution T1218.007 – Signed Binary Proxy Execution: Msiexec Defense Evasion T1529 – System Shutdown/Reboot Impact T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence, Privilege Escalation T1553.002 – Subvert Trust Controls: Code Signing Defense Evasion T1555.003 – Credentials from Password Stores: Credentials from Web Browsers T1573.002 – Encrypted Channel: Asymmetric Cryptography Credential Access Initial Access -----