Threat actors have enhanced a banking trojan that has been widely used during the COVID-19 pandemic with new functionality to help it avoid detection by potential victims and standard security protections.
Attackers have implemented several new features — including a password-protected attachment, keyword obfuscation and minimalist macro code—in a recent phishing campaign using documents trojanized by the widely used banking trojan IcedID, according to a new report by Juniper Networks security researcher Paul Kimayong.
The campaign, which researchers discovered in July, also uses a dynamic link library (DLL) — a Microsoft library that contains code and data that can be used by more than one program at the same time — as its second-stage downloader. This “shows” a new maturity level of this threat actor,” he observed.
The latest version of IcedID identified by the Juniper team is being distributed using compromised business accounts where the recipients are customers of the same businesses. This boosts the likelihood of the campaign’s success, as the sender and the recipient already have an established business relationship, Kimayong noted.
Researchers at IBM first discovered IcedID back in 2017 as a trojan targeting banks, payment card providers, mobile services providers, payroll, web mail and e-commerce sites.
The malware has evolved over the years and already has a history of clever obfuscation. For instance, it resurfaced during the COVID-19 campaign with new functionality that uses steganography, or the practice of hiding code within images to stealthily infect victims, as well as other enhancements.
Kimayong’s report details an example of the new IcedID campaign and its evasive tactics from a compromise of PrepNow.com, a private, nationwide student tutoring company that operates in a number of U.S. states.
Attackers sent phishing emails, which claim to include an invoice, to potential victims. They purported to be from the accounting department, with a password-protected ZIP file attached. This password protection allows the file to evade anti-malware solutions, he noted. The password is included in the email body for victims to find and use to open the file.
The campaign is novel in how it obfuscates the word “attached” in a number of ways in the email, Kimayong wrote. It seems unlikely attackers would do this to try to bypass spam filters or phishing-detection, since the presence of an attachment is obvious, he noted.
“If anything, we expected the obfuscation to obfuscate the word ‘password’ because that’s a tell-tale sign of something phishy going on,” Kimayong wrote. “Then again, modifying the body of the email ever so slightly may change some fuzzy hashes email security solutions calculate to identify bulk email campaigns.”
The campaign also included a curious behavior in that it rotates the file name used for the attachment inside the ZIP file, which seems a “futile” attempt to evade security protections, “since the password protection should prevent most security solutions from opening and inspecting the content,” he observed.
No matter, the email was not blocked by Google’s Gmail security, which seems to prove that the evasion tactics worked, according to the report.
If victims open the attachment, the campaign then launches a three-stage attack to unleash the IcedID trojan, Kimayong wrote.
The expanded ZIP file a Microsoft Word document that contains a macro that executes upon opening the document, with “the usual social-engineering attempt to get victims to enable macros,” he wrote. “Once macros are enabled, the VB script will download a DLL, save it as a PDF and install it as a service using regsvr32 to guarantee persistence.”
This stage also shows how attackers are being “minimalist” in their use of macro code, which “is very simple and straightforward” even though it still manages to obfuscate strings and function calls to evade detection, Kimayong wrote.
The attack’s second stage downloads the DLL from 3wuk8wv[.]com or 185.43.4[.]241, a site that is hosted on a hosting provider in Siberia in Russia. Once downloaded, the malicious DLL is saved as a PDF file, and then the macro executes it via a call to regsvr32.exe, according to the report.
The DLL downloads the next stage of the attack from the domain loadhnichar[.]co as a PNG file and decrypts it, Kimayong wrote. This stage of the attack also has evasive tactics, he noted.
“This loader blends its traffic with requests to benign domains, such as apple.com, twitter.com, microsoft.com, etc. to look more benign to sandboxes trying to analyze it,” Kimayong wrote.
The third stage ultimately downloads the IcedID main module as a PNG file, spawns a msiexec.exe process and injects the IcedID main module into it, he said.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.
