2023-03-08 (WEDNESDAY) - ICEDID (BOKBOT) INFECTION WITH BACKCONNECT AND KEYHOLE VNC
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- Infection traffic started on 2023-03-08 shortly after 02:00 UTC, but this wave of malspam & malware is from Tuesday 2023-03-07.
- Later this year, I found out the VNC traffic here is Keyole VNC.
ASSOCIATED FILES:
- 2023-03-08-IOCs-for-IcedID-activity.txt.zip 1.9 kB (1,947 bytes)
- 2023-03-08-IcedID-malspam-example.eml.zip 170 kB (170,002 bytes)
- 2023-03-08-IcedID-with-BackConnect-and-Keyhole-VNC-traffic.pcap.zip 8.6 MB (8,586,839 bytes)
- 2023-03-08-IcedID-malware-and-artifacts.zip 3.3 MB (3,325,942 bytes)
2023-03-08 (WEDNESDAY): ICEDID (BOKBOT) INFECTION WITH BACKCONNECT AND KEYHOLD VNC FROM EMAILS WITH PDF ATTACHMENTS NOTES: - PDF files use the a naming scheme we've seen before with Monster Libra (TA551/Shathak) previously distributing IcedID - Reference for IcedID BackConnect activity: https://twitter.com/teamcymru_S2/status/1629186902011138049 INFECTION CHAIN: - email --> PDF --> link --> password-proteced zip --> .msi --> traffic for gzip binary --> IcedID C2 --> BackConnect & Keyhole VNC PDF FILES FOUND ON VIRUSTOTAL: - d534d8fdb53613064e6051c8a9ad6c6649a3555023fb8242c67e7253c24745d1 [info removed],invoice,03.07.pdf - a372aceabd44b69bf1028b442ef866bc0a081b3241d9df5cfedb70d13dd39257 [info removed]-file-03.07.23.pdf URLS FROM THE TWO PDF FILES: - hxxps://daybeds[.]xyz/info_IR-99661418.zip - hxxps://lifeinsurancequotes[.]xyz/bill_IC-85000006.zip PASSWORD-PROTECED ZIP ARCHIVES FROM THE ABOVE LINKS (PASSWORD: 1310): - 55044a53fd6ac77f0cfacf424de88fbcbf43ea25f672462d2496238226ba8359 bill_IC-85000006.zip - c825239ccd1cb599e9c9cdfc6806ca7228803a1c9f7ab6eaae895d98a3c053a8 info_IR-99661418.zip MSI FILES TO INSTALL ICEDID EXTRACTED FROM THE ABOVE ZIP ARCHIVES: - 99344f9fb82f8d90da0c2e12f0deda29519a27f16429673f4e5f32e05a34113a bill_IC-85000008.msi - 17014299f399f71d1d6bed136b8c624a366b222166e692522d14e2bba70bb79f info_IR-99661418.msi MALWARE FROM AN INFECTED WINDOWS HOST: - SHA256 hash: d82cbe662418bb5fa90a3f98f41a76fe9ca046b9308220acd935a7e98db38655 - File size: 1,013,147 bytes - File location: hxxp://statifaronta[.]com/ - File description: Retreived by an .msi IcedID installer, gzip binary from statifaronta[.]com - SHA256 hash: 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953 - File size: 354,474 bytes - File location: Data binary used to run perisistent IcedID DLL - File description: C:\Users\[username]\AppData\Roaming\FlatResist\license.dat - SHA256 hash: d812812449e398ced21fb9fbfb6099711f6cde105ea96ae72c1a3a1ba349c798 - File size: 657,920 bytes - File location: C:\Users\[username]\AppData\Roaming\{7B735344-E15B-F0E1-3FEB-00A8EBE3DE39}\kokuli32\Ulyoat64.dll - File description: Persistent 64-bit DLL for IcedID - Run method: rundll32.exe [filename],init --voci="[path to license.dat]" TRAFFIC FROM AN INFECTED WINDOWS HOST: TRAFFIC FROM LINK IN PDF FILE: - 146.19.230[.]208 port 443 (HTTPS) - lifeinsurancequotes[.]xyz - GET /bill_IC-85000006.zip TRAFFIC GENERATED BY ICEDID INSTALLER FOR GZIP BINARY: - 45.61.136[.]30 port 80 - statifaronta[.]com - GET / HTTP/1.1 ICEDID C2: - 37.235.56[.]37 port 443 - neaachar[.]com - HTTPS traffic - 158.255.212[.]195 port 443 - gyxplonto[.]com - HTTPS traffic - 37.235.56[.]37 port 443 - birungor[.]com - HTTPS traffic - 158.255.212[.]195 port 443 - pichervoip[.]com - HTTPS traffic CERTIFICATE ISSUER DATA FOR ALL ICEDID HTTPS C2 TRAFFIC: - it-at-commonName=localhost - it-at-countryName=AU - it-at-stateOrProvinceName=Some-State - it-at-organizationName=Internet Widgits Pty Ltd OTHER POST-INFECTION ACTIVITY: - 80.66.88[.]71 port 8080 - BackConnect and Keyhole VNC traffic
Click here to return to the main page.