Based on research conducted by Team Cymru, threat actors distributing the IceID malware are experimenting with different delivery methods to find out which works best against different targets. Since Microsoft blocked Macros by default threat actors and malware developers have been forced to find new delivery methods for their malware and it seems IceID is no exception.
IceID was first discovered in 2017 and clearly fitted the definition of a banking trojan, a piece of malware designed to harvest and steal banking information and credentials.
Over the subsequent years, the malware evolved to include dropper capabilities allowing the malware to drop secondary malware payloads onto compromised machines. Researchers had seen Cobalt Strike beacons being dropped in this way.
This tactic has been used by other malware strains to drop ransomware but due to security applications being able to detect such activity with far higher degrees of accuracy threat actors are looking to other methods that do not involve Cobalt Strike.
IceID took on the mantle of being classified as a dropper with vigor and is still one of the most prominent trojans with dropper capabilities on the threat landscape.
Typically the malware was delivered in spam email campaigns but recently researchers detected new campaigns using different tactics almost daily.
As Team Cymru noted, several delivery methods were experimented with over the period from September 13 to September 21, 2022. In total researchers detected four different delivery methods being experimented with over this period.
The first of which was described by researchers as,
“Password Protected ZIP -> ISO -> LNK -> JS -> [CMD or BAT] -> DLL
Delivery was via a password-protected zip file that contained an ISO which itself contained an LNK file and archive holding the files used for IcedID installation. When the LNK file is clicked by the user, it functions as a shortcut to run a script within the archive that ultimately installs IcedID from a DLL. It is typically launched through either a CMD or BAT script, depending on which was included in the archive.”
The second was given the abbreviation, Password Protected ZIP -> ISO -> CHM -> DLL, which while similar to the above-quoted method differed in its use of a compiled HTML file, referred to as a CHM.
In order to begin the infection process, the victim must open the CHM file which will then launch the DLL.
The third method involves the use of the tried and now soon-to-be-relegated to the scrap head, emailing malicious Microsoft document files that use Macros to fetch and install the malware.
Lastly, threat actors were seen using PrivateLoader which is a pay-per-install service that distributes malware by hiding it in free software downloaded by unsuspecting users. This method is also used by NetDooka threat actors.
Effectiveness and Mistakes
As for the effectiveness of the different delivery methods experimented with, researchers noted,
“The campaign with the highest potential victim count was the campaign targeting English speakers that was released the same day as the Italian campaign (13 September). It was delivered via the most common method; a password protected zip file containing an ISO, which contained a LNK file. The second most successful campaign was that which leveraged PrivateLoader on 16 September 16…From our observations, it appears that campaigns leveraging CHM files are less successful, which could explain why we have only seen this technique being used twice. However, we do not have a complete picture - the number of victims may have been proportionately similar (or different) based on the number of users targeted. For example, it is possible the CHM file campaigns were tests against a smaller target base, in which case one might argue that they were successful.”
Researchers also detected several peculiarities dating back to before and during the campaigns discovered. These peculiarities are best described as mistakes made by threat actors experimenting with different delivery methods.
In one instance it was clear the email lures were designed to target English speakers but the pop-up to view the malicious document was in Italian.
In another instance, threat actors forgot to initiate the command-and-control server meaning that traffic that could of being used further the threat actor's goals effectively went nowhere.
This failure appears to be related to how the group registered and uses unique IP addresses and command-and-control servers and attempts to reuse them after a specific period.
It should be noted that campaigns were lures that displayed obvious inconsistencies, as with the use of Italian when targeting English speakers were far less likely to convert users to victims.
Researchers pointed out that this may be a positive side effect of staff training and cyber education’s insistence on not clicking anything that looks suspicious. Researchers concluded,
“When it comes to delivery methods, daily campaigns often leverage emails containing password protected zip files and ISOs and perform comparatively well. The relative success of the campaign leveraging PrivateLoader infections, with the malware concealed within ‘cracked’ software downloads, makes this method something also worth watching.”