The primarily IcedID-flavored banking trojan spam strategies had been coming in at a fever pitch: Spikes strike more than 100 detections a working day.
Researchers have observed a new variant of the IcedID banking trojan sliding in by means of two new spam strategies.
Published in English and carrying ZIP data files comprehensive of the malware – or hyperlinks to these types of ZIP data files – the new twist on the old banking trojan is a tweaked downloader, which the threat actors moved from the initial x86 version to the newest: an x86-64 edition. They also ditched the faux command-and-manage (C2s, aka C&Cs) that were identified in the previously configuration and which had been most likely there to complicate malware examination, scientists reported.
In an advisory posted on Thursday, Kaspersky researchers explained that they spied the new spam campaigns – equally of which were created to provide banking trojans – in mid-March. Most of the payloads the researchers collected were IcedID (Trojan-Banker.Win32.IcedID), but they also arrived throughout a couple samples of the Qbot banking trojan (Backdoor.Gain32.Qbot, aka QakBot).
The generally IcedID-flavored strategies had been coming in at a fever pitch: Marketing campaign spikes strike far more than 100 detections a working day.
Which is in maintaining with a further popular IcedID email campaign that pelleted targets in April, when rigged Microsoft Excel attachments and Excel 4 macros were dumping IcedID at higher volumes. At the time, it seemed like the IcedID trojan was stepping in to fill the void left by Emotet soon after the malware obtained slapped offline in January.
IcedID (aka BokBot) is similar to Emotet in that it is a modular malware that began daily life as a banking trojan, in the beginning applied to steal monetary information. As Kaspersky researchers famous, IcedID can also detect digital equipment (VM), which will come in helpful when malware authors want to slip previous VMs that execute probably malicious binaries in buy to suss out their behavior.
IcedID can also pull off other malicious actions, these as web injects: highly effective, destructive equipment crafted into banking trojans that help a risk actor to bypass two-factor authentication (2FA) and compromise a user’s bank account. The main body of the payloads is concealed in a PNG image that’s decrypted by the downloader. Besides currently being a banking trojan, IcedID is progressively applied as a dropper for other malware: a different matter it has in common with Emotet.
Scientists stated that for its aspect, the Qbot banking trojan is a one executable with an embedded DLL that is able of downloading and operating extra modules that carry out malicious activities, this sort of as web injects, email assortment, and password grabbing.
Variant Picks Up a Slippery New Downloader
Besides the spike in an infection tries, the IcedID variant has also been outfitted with a new downloader.
As the researchers explain to it, IcedID has two pieces, a downloader and a primary physique. The downloader sends person data – for case in point, username, MAC address and Windows edition – to the C2 server and, in convert, receives the main body.
The major human body has beforehand been dispersed as a shellcode hidden in a PNG impression. “The downloader will get the picture, decrypts the major entire body in the memory and executes it,” the researchers thorough. “The main physique maps alone into the memory and begins to perform its malicious steps these as web injects, facts exfiltration to the C&C, download and execution of added payloads, exfiltration of system details and a lot more,” they claimed.
In preceding IcedID variations, the downloader was compiled as an x86 executable. Also, following prior IcedID variations were being configured, post-decryption, they turned out to incorporate phony C2 addresses, presumably “to complicate investigation of the samples,” Kaspersky researchers hypothesized. In the new edition, even so, the risk actors moved from x86 to an x86-64 edition and did away with the bogus C2s in the configuration.
As properly, the authors of the hottest IcedID variant tweaked the malware’s most important physique. It is nevertheless dispersed as a PNG graphic, and it retains the identical decryption and C2 interaction procedures. But this time, the authors made a decision not to use shellcode. In its place, in accordance to Kaspersky’s advisory, IcedID’s principal human body is distributed as “a common [PE, or Portable Executable] file with some loader-relevant information in the starting.”
The scientists pointed out that, whereas IcedID has two areas – the downloader and the primary body – Qbot is a one executable with an embedded DLL in the most important entire body that is saved in the resource PE segment.
To do its soiled perform, Qbot phone calls in its dirty minions: “In purchase to carry out website traffic interception, steal passwords, perform web injects and get distant manage of the infected process, it downloads supplemental modules: web inject module, hVNC (remote manage module), email collector, password grabber and other individuals,” in accordance to the advisory.
An infection No. 1: DotDat
The scientists identified as the 1st campaign “DotDat.” They said that it was doling out ZIP attachments that purported to be some form of cancelled operation or compensation statements with the names in the structure [document type (optional)]-[some digits]-[date in MMDDYYYY format]. “We suppose the dates correspond with the marketing campaign spikes,” they explained in the advisory. The ZIP archives contained a boobytrapped Excel file with the similar title.
The Excel file downloads a malicious payload by way of a macro from a URL with the format [host]/[digits].[digits].dat and then executes the payload. The URL is produced through execution making use of the Excel function “NOW()”, in accordance to the scientists. It provides a payload that is possibly the IcedID downloader – Trojan.Get32.Ligooc – or Qbot packed with a polymorph packer: a instrument that rolls up various types of malware into a solitary package deal, these kinds of as an e-mail attachment, and which can mutate its signature in excess of time, making it that a lot additional tricky to detect and eliminate.
The Excel file is made up of obfuscated Excel 4. macro formulation to down load and execute possibly the IcedID or Qbot payload. The macro generates a payload URL and calls the WinAPI functionality “URLDownloadToFile” to download the payload.
After the macro correctly downloads the downloader, the payload is released utilizing the EXEC perform and Windows Rundll32 executable.
Infection No. 2: ‘summer.gif’
In the next marketing campaign scientists tracked, the spam email messages contained links to hacked internet sites with destructive archives named “documents.zip”, “document-XX.zip” and”doc-XX.zip”, exactly where XX stands for two random digits. Equivalent to the DotDat campaign, the archives contained an Excel file with a macro that downloaded the IcedID downloader. In accordance to Kaspersky’s facts, this spam campaign peaked on March 17. By April, the malicious activity “had light absent,” scientists mentioned.
Also like the very first spam marketing campaign, the “summer.gif” campaign applied Excel 4. macro formulation and the URLDownloadToFile operate. The primary distinction in the downloader is that the URL is saved in a mobile inside of the destructive file, researchers mentioned.
This marketing campaign receives its identify from a file referred to by the URL – “summer.gif” – but the payload is in actuality an executable, not a GIF picture. In accordance to the advisory, to execute the payload, the macro uses Windows Management Instrumentation (WMI) instruments and regsvr32 – a command-line utility in Microsoft Windows and ReactOS for registering and unregistering DLLs and ActiveX controls in the running method Registry.
Where by IcedID Is Splattering
Each the IcedID and Qbot spam campaigns were being buying on China as their favorite targets. In March, telemetry indicated that the biggest number of users attacked by Ligooc, the IcedID downloader, were being noticed in China (15.88 %), adopted by India (11.59 percent), Italy (10.73 p.c), the U.S. (10.73 per cent) and Germany (8.58 per cent).
For the duration of that exact same month, Qbot was also most lively in China (10.78 p.c), India (10.78 %) and the U.S. (4.66 percent), but the researchers also noticed it in Russia (7.60 %) and France (7.60 p.c).
Join Threatpost for “Tips and Ways for Much better Risk Hunting” — a Reside celebration on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Find out from Palo Alto’s Device 42 gurus the greatest way to hunt down threats and how to use automation to assist. Register Below for free.
Some parts of this short article are sourced from: