IcedID Circulates Via Web Forms, Google URLs

Nim Loader

Attackers are filling out and submitting web-based “contact us” forms, thus evading email spam filters.

Website contact forms and Google URLs are being used to spread the IcedID trojan, according to researchers at Microsoft.

Attackers are using “contact us” forms on websites to send emails targeting organizations with trumped-up legal threats, researchers said. The messages consistently mention a copyright infringement by a photographer, illustrator or designer, and they contain a link to purported “evidence” for these legal infractions. But the link in actuality leads to a Google page that downloads IcedID (a.k.a. BokBot), which is an information-stealer and loader for other malware.

“As attackers fill out and submit the web-based form, an email message is generated to the associated contact-form recipient or targeted enterprise, containing the attacker-generated message,” according to Microsoft’s recent posting. “The message uses strong and urgent language (‘Download it right now and check this out for yourself’), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.”

Researchers found that attackers used fake names that start with “Mel,” such as “Melanie” or “Meleena,” and used a standard format for their fake email addresses that include “m,” words associated with photography and three-digit numbers; i.e., or

The links take victims to a page, which asks them to sign in. Once a person signs in, the page automatically downloads a malicious .ZIP file, which when unpacked contains a heavily obfuscated .JS file, researchers said. Microsoft explained that the .JS file is executed via WScript, and that it creates a shell object that in turn launches PowerShell and downloads the IcedID payload in the form of a .DAT file.

The file also contains a Cobalt Strike beacon in the form of a stageless DLL, giving attackers remote control of the victim’s machine. Cobalt Strike is a penetration-testing tool that sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack; however, threat actors have since figured out how to turn it against networks.

The analysis shows that the downloaded .DAT file loads via the rundll32 executable, which then launches various information-gathering commands. Those include obtaining antivirus info; getting IP, domain and system information; and dropping SQLite for accessing banking and other credentials stored in browser databases.

“When run, IcedID connects to a command-and-control server (C2) to download modules that run its primary function of capturing and exfiltrating banking credentials and other information,” according to Microsoft. “It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally and delivering secondary payloads.”

The campaign is also using a secondary attack chain, researchers said, in case the page is taken down.

“In the secondary chain, users are redirected to a top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file,” they explained. “Further analysis reveals that the forms contain malicious links that download the IcedID malware.”

Social-Engineering and Authenticity

The use of contact forms on websites allow the campaign to get around email spam filters, researchers noted – and adds a layer of verisimilitude for recipients.

“The malicious email that arrives in the recipient’s inbox from the contact-form query appears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading detection,” according to the analysis. “As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry.”

Further, the use of a Google page and the sign-in request aids in detection-evasion. Because of “his added authentication layer, detection technologies may fail in identifying the email as malicious altogether,” Microsoft explained.

The observed campaign adds to other IcedID activity recently observed by researchers. Last week, researchers with Uptycs noted it was being used in a spate of email campaigns using Microsoft Excel spreadsheet file attachments.

“Adversaries remain motivated to find new ways to deliver malicious email to enterprises with the clear intent to evade detection,” according to Microsoft. “The scenarios we observed offer a serious glimpse into how sophisticated attackers’ techniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID. Their use of submission forms is notable because the emails don’t have the typical marks of malicious messages and are seemingly legitimate.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 



Suggested articles