2023-03-08 (WEDNESDAY) - ICEDID (BOKBOT) INFECTION WITH BACKCONNECT AND KEYHOLE VNC

NOTICE:

NOTES:

ASSOCIATED FILES:

 

2023-03-08 (WEDNESDAY): ICEDID (BOKBOT) INFECTION WITH BACKCONNECT AND KEYHOLD VNC FROM EMAILS WITH PDF ATTACHMENTS

NOTES:

- PDF files use the a naming scheme we've seen before with Monster Libra (TA551/Shathak) previously distributing IcedID
- Reference for IcedID BackConnect activity: https://twitter.com/teamcymru_S2/status/1629186902011138049

INFECTION CHAIN:

- email --> PDF --> link --> password-proteced zip --> .msi --> traffic for gzip binary --> IcedID C2 --> BackConnect &
  Keyhole VNC

PDF FILES FOUND ON VIRUSTOTAL:

- d534d8fdb53613064e6051c8a9ad6c6649a3555023fb8242c67e7253c24745d1  [info removed],invoice,03.07.pdf
- a372aceabd44b69bf1028b442ef866bc0a081b3241d9df5cfedb70d13dd39257  [info removed]-file-03.07.23.pdf

URLS FROM THE TWO PDF FILES:

- hxxps://daybeds[.]xyz/info_IR-99661418.zip
- hxxps://lifeinsurancequotes[.]xyz/bill_IC-85000006.zip

PASSWORD-PROTECED ZIP ARCHIVES FROM THE ABOVE LINKS (PASSWORD: 1310):

- 55044a53fd6ac77f0cfacf424de88fbcbf43ea25f672462d2496238226ba8359  bill_IC-85000006.zip
- c825239ccd1cb599e9c9cdfc6806ca7228803a1c9f7ab6eaae895d98a3c053a8  info_IR-99661418.zip

MSI FILES TO INSTALL ICEDID EXTRACTED FROM THE ABOVE ZIP ARCHIVES:

- 99344f9fb82f8d90da0c2e12f0deda29519a27f16429673f4e5f32e05a34113a  bill_IC-85000008.msi
- 17014299f399f71d1d6bed136b8c624a366b222166e692522d14e2bba70bb79f  info_IR-99661418.msi

MALWARE FROM AN INFECTED WINDOWS HOST:

- SHA256 hash: d82cbe662418bb5fa90a3f98f41a76fe9ca046b9308220acd935a7e98db38655
- File size: 1,013,147 bytes
- File location: hxxp://statifaronta[.]com/
- File description: Retreived by an .msi IcedID installer, gzip binary from statifaronta[.]com

- SHA256 hash: 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953
- File size: 354,474 bytes
- File location: Data binary used to run perisistent IcedID DLL
- File description: C:\Users\[username]\AppData\Roaming\FlatResist\license.dat

- SHA256 hash: d812812449e398ced21fb9fbfb6099711f6cde105ea96ae72c1a3a1ba349c798
- File size: 657,920 bytes
- File location: C:\Users\[username]\AppData\Roaming\{7B735344-E15B-F0E1-3FEB-00A8EBE3DE39}\kokuli32\Ulyoat64.dll
- File description: Persistent 64-bit DLL for IcedID
- Run method: rundll32.exe [filename],init --voci="[path to license.dat]"

TRAFFIC FROM AN INFECTED WINDOWS HOST:

TRAFFIC FROM LINK IN PDF FILE:

- 146.19.230[.]208 port 443 (HTTPS) - lifeinsurancequotes[.]xyz - GET /bill_IC-85000006.zip

TRAFFIC GENERATED BY ICEDID INSTALLER FOR GZIP BINARY:

- 45.61.136[.]30 port 80 - statifaronta[.]com - GET / HTTP/1.1 

ICEDID C2:

- 37.235.56[.]37 port 443 - neaachar[.]com - HTTPS traffic
- 158.255.212[.]195 port 443 - gyxplonto[.]com - HTTPS traffic
- 37.235.56[.]37 port 443 - birungor[.]com - HTTPS traffic
- 158.255.212[.]195 port 443 - pichervoip[.]com - HTTPS traffic

CERTIFICATE ISSUER DATA FOR ALL ICEDID HTTPS C2 TRAFFIC:

- it-at-commonName=localhost
- it-at-countryName=AU
- it-at-stateOrProvinceName=Some-State
- it-at-organizationName=Internet Widgits Pty Ltd

OTHER POST-INFECTION ACTIVITY:

- 80.66.88[.]71 port 8080 - BackConnect and Keyhole VNC traffic

 

Click here to return to the main page.