Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

TA551 distributes new ICEDID malware

    • Updated:
    • 18 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

ICEDID, also known as BokBot, is a modular banking malware designed to steal financial information. It is first discovered around 2017 and observed in the wild being downloaded as a second stage payload from EMOTET campaigns. It is capable of propagation over the network, monitor activities from the infected system and exfiltration of data. It conducts a man-in-the-browser attack such as web-injection, proxy setup and redirection. It continuously evolves to increase persistence and detection evasion.

In recent malspam campaigns, a cybercriminal threat group called Shathak or TA551 distributed the malware. The malspam has a password protected ZIP attachment that appears to contain a request document. Extracted from the ZIP file is a Word document containing malicious macros. It uses social engineering attempt to trick the user to enable the macros. It will download the ICEDID loader as a DLL file with a different extension such as .tmp or .pdf. It connects to the C&C server to download a PNG file that contains encrypted data of the ICEDID malware. The loader will decrypt the data and inject the malware in an instance of svchost.exe.

Behaviour

  • Has anti-debugging and anti-VM checks
  • Hides encrypted payload in PNG files (steganography)
  • Modification of code injection tactics
  • Stealth and fileless operation

Capabilities

  • Information Theft
  • Propagation

Impact

  • Financial loss - steals banking information
  • Violation of user privacy - gathers user credentials on various applications
  • Regional Impact (October 1, 2020 - November 17, 2020)
    REGIONEUROPEJAPANAMERICASAPACN-ASIAAMEA
    CUSTOMER CASE COUNT101312---
    REGIONEMEAJAPANNABULARAPAC
    SPN VSAPI FEEDBACK5074136084141

Additional Threat Reference Information

Sample Spam

cid:image001.jpg@01D6C248.3051F640

cid:image002.png@01D6C248.3051F640

Sample Attachment

cid:image003.png@01D6C248.3051F640

cid:image004.png@01D6C248.3051F640

Infection Chain

cid:image005.png@01D6C248.3051F640

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
Mail arrives with a password protected ZIP fileInitial Access T1566.001 Phishing: Spearphishing Attachment
User is lured to extract the Word document and enable macroExecution
Defense Evasion
T1204.002 User Execution: Malicious File
T1059.005 Command and Scripting Interpreter: Visual Basic
T1027 Obfuscated Files or Information
Executes an embedded JS script from a dropped HTML file via dropped copy of mshta.exeExecutionT1218.005 Signed Binary Proxy Execution: Mshta
Downloaded malicious DLL file is executed via regsvr32.exeDefense EvasionT1218.010 Signed Binary Proxy Execution: Regsvr32
Connects to C&CCommand and ControlT1071.001 Application Layer Protocol: Web Protocols
Downloads PNG files with encoded data to be used to create the ICEDID payloadDefense Evasion
Execution
T1027.002 Obfuscated Files or Information: Software Packing
T1027.003 Obfuscated Files or Information: Steganography
T1055.001 Process Injection: Dynamic-link Library Injection
T1106 Native API
Adds scheduled taskPersistenceT1053.005 Scheduled Task/Job: Scheduled Task
Steal financial information and data stored in a web browserDiscovery
Collection
T1040 Network Sniffing
T1069 Permission Groups Discovery
T1082 System Information Discovery
T1087.002 Account Discovery: Domain Account
T1185 Man in the Browser
T1560 Archive Collected Data
Send stolen information to C&CExfiltrationT1041 Exfiltration Over C2 Channel
Able to download additional components or payloadCommand and Control T1105 Ingress Tool Transfer 
Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 5796November 17, 2020-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes16.361.00November 20, 2020< same as VSAPI >
Predictive Learning (TrendX)YesIn the Cloud-Downloader.VBA.TRX.XXVBAF01FF011
Downloader.VBA.TRX.XXVBAF01FF009
Downloader.VBA.TRX.XXVBAF01FF010
Troj.Win32.TRX.XXPE50FFF037
Troj.Win32.TRX.XXPE50FFF038
TSPY.Win32.TRX.XXPE50FFF037E0002
File detection (VSAPI)YesENT OPR 16.361.00November 20, 2020Trojan.HTML.ICEDID.VWFZ
Trojan.W97M.ICEDID.SMAC
Trojan.W97M.ICEDID.SMCET
Trojan.W97M.ICEDID.SMTH
Trojan.W97M.ICEDID.SM
Trojan.W97M.ICEDID.SMA
Trojan.W97M.ICEDID.AR
Trojan.W97M.ICEDID.FAIX
Trojan.W97M.ICEDID.GAAA
Trojan.Win32.ICEDID.ENG
Trojan.Win32.ICEDID.FAIM
Trojan.Win32.ICEDID.THJOCBO
TrojanSpy.Win32.ICEDID.BP
TrojanSpy.Win32.ICEDID.FAIX
Network PatternYes--TROJ_GEN.R011C0PJA20 - HTTP (Response)
Behavioral Monitoring (AEGIS)YesTMTD OPR 2191-ARV4483T (document)
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283386
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.