The Threat of IcedID Still Looming

Category: Malware Campaign | Industry: N/A | Level: Tactical | Source: Elastic

Elastic researchers have discovered the infrastructure for IcedID banking trojan has remained online, allowing threat actors to leverage the notorious malware. IcedID was first discovered in 2017, targeting financial institutions, however, the malware has evolved to be used in more complicated attacks such as delivering Cobalt Strike and other malicious payloads. Recent IcedID infections have typically leveraged the combination of a compressed zip file, and ISO image file to obfuscate their malicious payloads and use the LNK shortcut file to trigger their payload with living-off-the-land-binaries (LOLBin). "Before ICEDID communicates with its C2 server, it performs a TLS certificate check by comparing the certificate serial number with a hash of the certificate's public key. As certificate serial numbers should all be unique, ICEDID uses a self-signed certificate and an expected certificate serial number as a way to validate the TLS certificate." IcedID will commence with the connection if the TLS check passes allowing IcedID to connect with the attacker's command and control (C2) to download additional payloads and to establish persistence in the registry or with a scheduled task. Most of IcedID's core functionality has gone unchanged with 23 modules observed by Elastic to enable credential stealing, command execution, shellcode injection, and data collection.

Anvilogic Scenario:

• Zip/LNK Leads to LOLBins and Actions on Objectives

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Add DLL/EXE Registry Value
• Create/Modify Schtasks

‍