2021-03-24 (WEDNESDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE NOTES: - A zip archive containing the associated malware and artifacts is available at: -- https://github.com/pan-unit42/tweets/blob/master/2021-03-24-IcedID-malware-and-artifacts.zip - This infection took place in an Active Directory (AD) environment, and we saw traffic associated with Cobalt Stike activity after the initial IcecdID infection. - We often see follow-up activity like Cobalt Strike from IcedID and other malware families when testing in an AD environment. But when testing the same malware on stand-alone Windows hosts, we do not find Cobalt Strike. CHAIN OF EVENTS: - Email --> attached ZIP archive --> extracted Excel spreadsheet --> Enable macros --> installer DLL --> gzip compressed binary --> IcedID (Bokbot) MALWARE FROM AN INFECTION: - SHA256 hash: 03494593165c2e14643f692edf60ee67ba5983d814eea12d8ea7319eb1a28100 - File size: 208,386 bytes - File name: Documents (478).xlsm - File description: Example of Excel spreadsheet with macro for IcedID (Bokbot) - SHA256 hash: 39022f8c0188179ac2459fb3757db51f61cd9657568ee79001c6f9501d85e84e - File size: 67,416 bytes - File location: hxxp://ovesf23knfg03eixqds[.]xyz/gf.gif - File location: C:\Users\Public\connectfront.xref - File description: Installer DLL for IcedID (Bokbot) - Run method: regsvr32 -s C:\Users\Public\connectfront.xref - SHA256 hash: f90ddca891da06aece3acf7e63070b4cb7d2c5acc0e52ad73b23ae795befd237 - File size: 386,379 bytes - File location: hxxp://24savetonnofmaoney[.]xyz/ - File description: Binary with gzip compressed data used to create license.dat and IcedID DLL files - SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e - File size: 341,098 bytes - File location: C:\Users\[username]\AppData\Roaming\LuxuryQuarter\license.dat - File description: data binary needed to run the IcedID DLL files - SHA256 hash: 6c2846b4ea908abb46663d6044a50012d42eed123bf47fe045f59f076104c92c - File size: 45,056 bytes - File location: C:\Users\[username]\AppData\Local\Temp\item_64.dat - File description: initial IcedID DLL - Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat" - SHA256 hash: 5fe4d17b25fd66a417eb4f4fe1c9214f9410bb66937ad877295c938f318c2744 - File size: 45,056 bytes - File location: C:\Users\[username]\AppData\Roaming\[username]\{9382BE5D-ADC1-386D-2E12-25BAA43199E2}\aruqsefu.dll - File description: persistent IcedID DLL - Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat" TRAFFIC FROM AN INFECTION: TRAFFIC TO RETRIEVE INSTALLER DLL: - 8.209.98[.]100 port 80 - ovesf23knfg03eixqds[.]xyz - GET /gf.gif TRAFFIC GENERATED BY RUNNING INSTALLER DLL: - port 443 (HTTPS) - aws.amazon[.]com - GET / (connectivity check, not malicious) - 164.90.163[.]184 port 80 - 24savetonnofmaoney[.]xyz - GET / ICEDID (BOKBOT) C2 TRAFFIC: - 138.68.10[.]5 port 443 - shaxtugel[.]fun - 138.68.10[.]5 port 443 - kosmolitopor[.]space COBALT STRIKE TRAFFIC: - 66.70.246[.]6 port 443 - HTTPS traffic - 66.70.246[.]6 port 443 - securityinstant[.]org - HTTPS traffic