Cybersecurity researchers have just released a report about a series of malspam campaigns coming from threat actor called TA2101. These campaigns were mainly targeting German and Italian users with Cobalt Strike and Maze ransomware, the later wave of malicious emails were aimed at the US and loaded with the latest version of IcedID Trojan.
During a malware analysis, researchers found many changes in how the payload was implemented, in particular with some code rewritten and new obfuscation. For example, the IcedID Trojan is now being delivered via steganography, as the data is encrypted and encoded with the content of a valid PNG image.
IcedID short history
The IcedID Trojan is known as a banking Trojan, and one of its important features is the ability to steal data related to banking transactions. For this purpose, it injects its implants into browsers, hooks the API, and performs a Man-In-The-Browser attack.
Its communication is protected by HTTPS, the malware is using install its own certificate.
IcedID distribution channel
It is done via a large number of malicious emails containing the “USPS Delivery Unsuccessful Attempt Notification” subject line.
Each of these emails contains a Microsoft Word document as attachment allegedly coming from the United States Postal Service. The content of the document is designed to trick the victim into enabling macros by insinuating that the content had been encoded.
IcedID starts with an injection into svchost, and running under its cover. Depending on the configuration, it may or may not download other executables, including TrickBot.
Dropped files: The malware drops various files on the disk.
Persistence: The application achieves persistence with the help of two Triggers: at the user login and at a certain hour.
Malware traffic: Most of the traffic is SSL encrypted.
Old IcedID vs. new IcedID
In the new version, there is one more intermediate loader element implemented as shellcode. The shellcode has similar functionality that was previously implemented in the older versions order in the form of a PE.
The implementation of the core bot is modified too.
Comparing both reconstructed samples shows that there are quite a few differences and rewritten parts.
Furthermore, in the analysis, it can be observed that from the downloader’s code, the shellcode entry point must first be fetched from a simple header that is at the beginning of the decoded module.
Looking inside the strings of this module we can see that this is the element that was responsible for generating the observed requests to the CnC.
The majority of the strings used by the malware are obfuscated and decoded before use. The algorithm used for decoding is simple.
IcedID available actions
The overview of the main functions of the bot is MiTM proxy, browser hooking engine, and a backdoor module.
The malware’s backdoor feature allows the hacker to deploy various commands on the victim machine. The CnC can also instruct the bot to decode other malicious modules from inside that will be deployed in a new process.
The malware can also install its own certificate and then steal various saved credentials from users’ browsers, emails, and cookies.
This new version of IcedID is not only a banking Trojan, but a general-purpose stealer able to extract a variety of credentials. It can also work as a downloader for other modules, including covert ones, that look like harmless PNG files.
This bot is mature, written by experienced developers. It deploys various typical techniques, including Zeus-style webinjects, hooks for various browsers, hidden VNC, and backconnect. Its authors also used several known obfuscation techniques.
Modern-day cyber attacks are becoming more and more powerful and now technology represents a major player in defending your personal data. Remember always opt for a cybersecurity solution!