TA551 distributes new ICEDID malware

- Updated:
- 18 Dec 2020
- Product/Version:
- Apex One 2019
- Deep Discovery Email Inspector All
- Deep Discovery Inspector All
- Deep Security 12.0
- OfficeScan XG
- ScanMail for Exchange 14.0
- Worry-Free Business Security Standard 10.0
- Platform:

ICEDID, also known as BokBot, is a modular banking malware designed to steal financial information. It is first discovered around 2017 and observed in the wild being downloaded as a second stage payload from EMOTET campaigns. It is capable of propagation over the network, monitor activities from the infected system and exfiltration of data. It conducts a man-in-the-browser attack such as web-injection, proxy setup and redirection. It continuously evolves to increase persistence and detection evasion.

In recent malspam campaigns, a cybercriminal threat group called Shathak or TA551 distributed the malware. The malspam has a password protected ZIP attachment that appears to contain a request document. Extracted from the ZIP file is a Word document containing malicious macros. It uses social engineering attempt to trick the user to enable the macros. It will download the ICEDID loader as a DLL file with a different extension such as .tmp or .pdf. It connects to the C&C server to download a PNG file that contains encrypted data of the ICEDID malware. The loader will decrypt the data and inject the malware in an instance of svchost.exe.

Behaviour

Has anti-debugging and anti-VM checks
Hides encrypted payload in PNG files (steganography)
Modification of code injection tactics
Stealth and fileless operation

Capabilities

Information Theft
Propagation

Impact

Financial loss - steals banking information
Violation of user privacy - gathers user credentials on various applications
Regional Impact (October 1, 2020 - November 17, 2020)

REGION EUROPE JAPAN AMERICAS APAC N-ASIA AMEA
CUSTOMER CASE COUNT 10 131 2 - - -
REGION EMEA JAPAN NABU LAR APAC
SPN VSAPI FEEDBACK 507 413 608 4 141

REGION	EUROPE	JAPAN	AMERICAS	APAC	N-ASIA	AMEA
CUSTOMER CASE COUNT	10	131	2	-	-	-
REGION	EMEA	JAPAN	NABU	LAR	APAC
SPN VSAPI FEEDBACK	507	413	608	4	141

Additional Threat Reference Information

Sample Spam

cid:image001.jpg@01D6C248.3051F640

cid:image002.png@01D6C248.3051F640

Sample Attachment

cid:image003.png@01D6C248.3051F640

cid:image004.png@01D6C248.3051F640

Infection Chain

cid:image005.png@01D6C248.3051F640

MITRE ATT&CK Matrix

BEHAVIOR	TACTIC	TECHNIQUE
Mail arrives with a password protected ZIP file	Initial Access	T1566.001 Phishing: Spearphishing Attachment
User is lured to extract the Word document and enable macro	Execution Defense Evasion	T1204.002 User Execution: Malicious File T1059.005 Command and Scripting Interpreter: Visual Basic T1027 Obfuscated Files or Information
Executes an embedded JS script from a dropped HTML file via dropped copy of mshta.exe	Execution	T1218.005 Signed Binary Proxy Execution: Mshta
Downloaded malicious DLL file is executed via regsvr32.exe	Defense Evasion	T1218.010 Signed Binary Proxy Execution: Regsvr32
Connects to C&C	Command and Control	T1071.001 Application Layer Protocol: Web Protocols
Downloads PNG files with encoded data to be used to create the ICEDID payload	Defense Evasion Execution	T1027.002 Obfuscated Files or Information: Software Packing T1027.003 Obfuscated Files or Information: Steganography T1055.001 Process Injection: Dynamic-link Library Injection T1106 Native API
Adds scheduled task	Persistence	T1053.005 Scheduled Task/Job: Scheduled Task
Steal financial information and data stored in a web browser	Discovery Collection	T1040 Network Sniffing T1069 Permission Groups Discovery T1082 System Information Discovery T1087.002 Account Discovery: Domain Account T1185 Man in the Browser T1560 Archive Collected Data
Send stolen information to C&C	Exfiltration	T1041 Exfiltration Over C2 Channel
Able to download additional components or payload	Command and Control	T1105 Ingress Tool Transfer

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
Email Protection	Yes	AS Pattern 5796	November 17, 2020	-
URL Protection	Yes	In the Cloud	-	-
Advanced Threat Scan Engine (ATSE)	Yes	16.361.00	November 20, 2020	< same as VSAPI >
Predictive Learning (TrendX)	Yes	In the Cloud	-	Downloader.VBA.TRX.XXVBAF01FF011 Downloader.VBA.TRX.XXVBAF01FF009 Downloader.VBA.TRX.XXVBAF01FF010 Troj.Win32.TRX.XXPE50FFF037 Troj.Win32.TRX.XXPE50FFF038 TSPY.Win32.TRX.XXPE50FFF037E0002
File detection (VSAPI)	Yes	ENT OPR 16.361.00	November 20, 2020	Trojan.HTML.ICEDID.VWFZ Trojan.W97M.ICEDID.SMAC Trojan.W97M.ICEDID.SMCET Trojan.W97M.ICEDID.SMTH Trojan.W97M.ICEDID.SM Trojan.W97M.ICEDID.SMA Trojan.W97M.ICEDID.AR Trojan.W97M.ICEDID.FAIX Trojan.W97M.ICEDID.GAAA Trojan.Win32.ICEDID.ENG Trojan.Win32.ICEDID.FAIM Trojan.Win32.ICEDID.THJOCBO TrojanSpy.Win32.ICEDID.BP TrojanSpy.Win32.ICEDID.FAIX
Network Pattern	Yes	-	-	TROJ_GEN.R011C0PJA20 - HTTP (Response)
Behavioral Monitoring (AEGIS)	Yes	TMTD OPR 2191	-	ARV4483T (document)

Solution Modules

Solution Available

Pattern Branch

Release Date

Detection/Policy/Rules

Email Protection

Yes

AS Pattern 5796

November 17, 2020

URL Protection

Yes

In the Cloud

Advanced Threat Scan Engine (ATSE)

Yes

16.361.00

November 20, 2020

< same as VSAPI >

Predictive Learning (TrendX)

Yes

In the Cloud

Downloader.VBA.TRX.XXVBAF01FF011
Downloader.VBA.TRX.XXVBAF01FF009
Downloader.VBA.TRX.XXVBAF01FF010
Troj.Win32.TRX.XXPE50FFF037
Troj.Win32.TRX.XXPE50FFF038
TSPY.Win32.TRX.XXPE50FFF037E0002

File detection (VSAPI)

Yes

ENT OPR 16.361.00

November 20, 2020

Trojan.HTML.ICEDID.VWFZ
Trojan.W97M.ICEDID.SMAC
Trojan.W97M.ICEDID.SMCET
Trojan.W97M.ICEDID.SMTH
Trojan.W97M.ICEDID.SM
Trojan.W97M.ICEDID.SMA
Trojan.W97M.ICEDID.AR
Trojan.W97M.ICEDID.FAIX
Trojan.W97M.ICEDID.GAAA
Trojan.Win32.ICEDID.ENG
Trojan.Win32.ICEDID.FAIM
Trojan.Win32.ICEDID.THJOCBO
TrojanSpy.Win32.ICEDID.BP
TrojanSpy.Win32.ICEDID.FAIX

Network Pattern

Yes

TROJ_GEN.R011C0PJA20 - HTTP (Response)

Behavioral Monitoring (AEGIS)

Yes

TMTD OPR 2191

ARV4483T (document)

Need More Help?

TA551 distributes new ICEDID malware