ISC diary: @malware_traffic reviews .url files and #WebDAV used for #IcedID (#Bokbot) infection https://i5c.us/d29578

Originally posted at: https://twitter.com/Unit42_Intel/status/1625218084288987136

2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using Google Ads. IoCs available at https://github.com/pan-unit42/tweets/blob/master/2023-02-13-IOCs-for-IcedID-infection-from-fake-Microsoft-Teams-page.txt

Sanitized/carved #pcap of the infection traffic, along with the associated malware/artifacts are now available at https://malware-traffic-analysis.net/2023/02/13/index.html

Originally posted at: https://twitter.com/Unit42_Intel/status/1623707361184477185

2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, I saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using thefirstupd[.]com as its domain.

IoCs available at https://github.com/pan-unit42/tweets/blob/master/2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt

2023-01-24 (Tuesday): Fake LibreOffice page leads to #IcedID (#Bokbot)

GOOGLE AD:

- https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwi23uWj1uD8AhX-bW8EHaJpBRYYABAAGgJqZg&ae=2&ohost=www.google.com&cid=CAASJORoCSzjjl8shb_N1mLVeggyQEbt0-vgi7jZUYCt6ZezVc09YQ&sig=AOD64_3_oPHcK6qjsSSMh-QwVHWGfhrHaA&q&adurl&ved=2ahUKEwizkN6j1uD8AhUNm2oFHYvrDJsQ0Qx6BAgGEAE

REDIRECT:

- 188.127.239[.]132 - lirbeoflice[.]space

FAKE LIBREOFFICE PAGE:

- 46.173.218[.]229 - hxxps://libre-offlce[.]top/download/download-libreoffice/?gclid=EAIaIQobChMItt7lo9bg_AIV_m1vBB2iaQUWEAAYASAAEgKLG_D_BwE

ZIP DOWNLOAD:

- hxxps://firebasestorage.googleapis[.]com/v0/b/confident-totem-371713.appspot.com/o/GvccFO6nyT%2FSetup_Win_24-01-2023_17-01-52.zip?alt=media&token=8a605e3d-094d-40ad-9889-4638aacf6357

DOWNLOADED FILE:

- https://bazaar.abuse.ch/sample/ba0743df409f0176c11637524ea85cda7da7d0e36d5f2b0c7614c2d70f0a533a/
- https://tria.ge/230124-v1b7saed6z
- Campaign: 3324185820
- C2: druidfenixis[.]com

ICEDID INSTALLER RETRIEVES GZIP BINARY:

- 45.61.138[.]171 port 80 - druidfenixis[.]com - GET / HTTP/1.1

ICEDID C2:

- 94.232.46[.]210 port 443 - iskopila[.]com - HTTPS traffic
- 94.232.46[.]210 port 443 - plenertakts[.]com - HTTPS traffic

Posted at: https://twitter.com/malware_traffic/status/1615905700839825409

2023-01-16 (Monday): An #IcedID (#Bokbot) infection I did thanks to @pr0xylife
sharing a PDF on Malware Bazaar. This one has #BackConnect traffic with #VNC activity, and there's #CobaltStrike too! The #pcap was too good -not- to share! Have a peek at: https://malware-traffic-analysis.net/2023/01/16/index2.html

Posted at https://twitter.com/malware_traffic/status/1615872954486886400

2023-01-18 (Wednesday): Blog post with sanitized/carved #pcap files, malware samples, and IOCs from the Google ads --> fake LibreOffice site --> #IcedID (#Bokbot) infection I had earlier that led to #CobaltStrike. Have a look-see at: https://malware-traffic-analysis.net/2023/01/18/index.html

2023-01-18 (Wednesday): #CobaltStrike seen from #IcedID (#Bokbot) infection.

Stager hosted at hxxp://64.227.8[.]75/111.exe

Cobalt Strike C2 server at 80.77.25[.]65:443 using jumptoupd[.]com as the domain. Looks like this C2 server may have been set up earlier today.

campaigns keep coming, I keep documenting 😤 #IcedID #bokbot campaign for the day. They took my message and actually changed things, thanks! https://gist.github.com/myrtus0x0/05cbc12632667f77e13b425c03bc7d9a

2023-01-18 (Wednesday) - Google ad --> fake Libre Office page --> #IcedID (#Bokbot)

Fake Libre Office page at wvv-llbreofflce[.]top

Downloaded zip: https://bazaar.abuse.ch/sample/7fa1fbd2c625269c408d515a7f7a2289e19f5f5d3cef46a96300212071215649/

Extracted EXE, deflated to a reasonable file size: https://bazaar.abuse.ch/sample/7fa1fbd2c625269c408d515a7f7a2289e19f5f5d3cef46a96300212071215649/

I'm working on compiling the data and will post as I get it organized.

2023-01-12 (Thursday) - Tweet I authored for @Unit42_Intel on Twitter: https://twitter.com/Unit42_Intel/status/1613710507638235136

#IcedID (#Bokbot) infection led to #CobaltStrike using fepopeguc[.]com on 185.173.34[.]36:443 for its C2 traffic.

List of indicators available at https://github.com/pan-unit42/tweets/blob/master/2023-01-12-IOCs-from-IcedID-and-Cobalt-Strike-infection.txt

Start your year off right with some #bokbot #IcedID. quite a few C2 domains involved... maybe their new years resolution is to get a respectable amount of bots :) https://gist.github.com/myrtus0x0/e11b1fcf5fac005b67fd4a902f3b72ab

Tweet I wrote for @unit42_intel on Twitter:

2022-12-20 (Tues) - #IcedID (#Bokbot) infection led to #CobaltStrike on 23.81.246[.]152:443 using xedefeg[.]com - IoCs available at: https://bit.ly/3HUXess

#pcap and malware available at https://www.malware-traffic-analysis.net/2022/12/20/index.html

Tweet I wrote for @unit42_intel on Twitter (https://twitter.com/Unit42_Intel/status/1606013040599699476):

2022-12-20 (Tues) - #IcedID (#Bokbot) infection led to #CobaltStrike on 23.81.246[.]152:443 using xedefeg[.]com - IoCs available at: https://bit.ly/3HUXess

#pcap and malware available at https://www.malware-traffic-analysis.net/2022/12/20/index.html

2022-12-16 (Friday) - Demo I created on a Google ad for AnyDesk leading to #IcedID (#Bokbot) malware

Created with Camtasia. See some of my previous posts this past week about the whole Google ads leading to #IcedID.

https://www.youtube.com/watch?v=WtNKYYWaX-I

2022-12-16 (Friday) - More malicious Google ads today pushing #IcedID (#Bokbot)... Just in time for the weekend!

For the mastodon peeps, #bokbot #IcedID campaign using SEO poisoning with libreoffice:

https://gist.github.com/myrtus0x0/65b623f1e736594a1896a4e53277c971

2022-12-14 (Wednesday): Follow-up on: https://infosec.exchange/@th3_protoCOL/109513090531163473

#IcedID (#Bokbot) infection in my lab environment from Google ad caused by SEO-poisoned search results.

This infection chain also abusing firebasestorage.googleapis.com to host zip file containing the malicious .msi installer for IcedID

Fake anydesk page: wwwanydesk[.]top - 45.8.229[.]109:443

Example of firebasestorage URL hosting zip-ed .msi file: hxxps://firebasestorage.googleapis[.]com//v0/b/plucky-command-370814.appspot.com/o/LB3dtWopII%2FSetup_Win_14-12-2022_19-07-19.zip?alt=media&token=c729eafe-6361-4127-b4ed-21fa97b109f8 (Note: it was still delivering a zip achrive as I wrote this post).

Binary for gzip file retrieved by IcedID installer: klepdrafooip[.]com on 143.198.92[.]88:80

IcedID post-infection C2:

- primsenetwolk[.]com - 94.140.114[.]40:443
- onyxinnov[.]lol - 94.140.114[.]40:443
- trashast[.]wiki - 158.255.211[.]126:443

Saw IcedID backchannel traffic with VNC activity on 51.195.169[.]87:8080

2022-12-08 (Thursday) - Here's a screenshot of the initial traffic from my #IcedID (#Bokbot) infection today. It's in an AD environment, and it gave me VNC traffic and 3 different #CobaltStrike infections.

Two of those Cobalt Strikes had EXEs saved to disk. I already posted one of those earlier.

The other Cobalt Strike EXE came from hxxp://70.36.107[.]56/downloads/1.exe

Figured might as well start sharing some intel here as well. #IcedID #Bokbot had a campaign today that was pretty standard for them https://gist.github.com/myrtus0x0/c66f9714dba3c4541d41a2ff94701b4c.

But what I wanna talk about is the IcedID that was dropped on #Emotet. Emotet has returned and one of the most interesting developments I've seen from the botnet is it dropping a new variant of the IcedID loader.

The old IcedID loader (the one used in malspam campaigns) uses cookies to exfiltrate host information. This information is used to gatekeep the final IcedID bot. If the C2 doesn't like the data exfil'd the bot wont be delivered.

This new variant though, doesn't have any of that. It downloads an encrypted file which ends up being the IcedID bot. This makes sense because the new IcedID loader is only being distributed to already infected machines so there is a higher level of trust that the malware is going to a worthy target and not just some sandbox. When I first saw all this, I thought that was the end of the differences because as far as I could tell the IcedID bot was the same.

This turned out to incorrect. There is a difference in the commands that the IcedID bot actually receives compared to standard IcedID that is delivered through malspam. This Emotet delivered IcedID gets more default commands to exfil more information. I have yet to really dig in and see why they might be doing that, but hopefully soon I'll get some time.