The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets.
Researchers at Cymru have observed several campaigns in September 2022, all following slightly different infection pathways, which they believe is to help them evaluate effectiveness.
Moreover, the analysts have noticed changes in the management of C2 command and control server (C2) IPs used in the campaigns, now showing signs of sloppiness.
The IcedID malware The IcedID malware started in 2017 as a modular banking trojan but has since evolved into a malware dropper that is commonly used to gain initial access to corporate networks
Malware droppers are used to quietly install further malware on an infected device, helping threat actors gain a foothold on a target system and then deploy more potent payloads throughout the network
Typically, operators of malware droppers sell their services to other cybercriminals, who outsource this part of the attack and focus on post-compromise activities.
From there, IcedID does an excellent job of evading detection and establishing persistence on the host.
Eventually, the malware sets up a proxy to communicate with its C2 via HTTPS and fetches additional payloads as directed by its operators.
Diversifying the delivery chain
Between September 13 and 21, Cymru analysts noticed the following different delivery methods of IcedID on targets:
Password Protected ZIP -> ISO -> LNK -> JS -> [CMD or BAT] -> DLL
Password Protected ZIP -> ISO -> CHM -> DLL
Password Protected ZIP -> ISO -> LNK -> BAT -> DLL
Malicious Word or Excel documents laced with macros
Delivered directly via the PrivateLoader pay-per-install service
These campaigns used either the Italian language or English, with the former having smaller-scale success than the latter.
In terms of which methods were most effective, Cymru comments that the campaign using ISO → LNK chain was the most successful, followed by PrivateLoader campaigns that employed gaming crack lures.
On the other hand, campaigns using CHM files were the least successful, employed on a limited scale, probably for tentative testing.
Excel files targeting English-speaking users but using Italian for the “View” button also failed to victimize targets, who likely recognized that as a sign of fraud.
“These metrics are numbers the threat actors are watching as well, and just like any other business, may influence their future actions,” explained the Cymru report.
Growing sloppy? Starting from mid-September, the operators of IcedID began experimenting with IP address and domain reuse for their C2 servers, whereas previously, they used unique IPs for each campaign. However, this was reverted at the end of the month.
Another notable change is a shorter lifespan of the IP addresses used as IcedID C2s, which were previously parked for an average of 31 days before they were enabled to help evade security systems and firewalls that block newly registered domains.
Now, IcedID uses “fresh” domains for its C2s registered only a few days before, demonstrating a lack of care compared to their established methods.
However, Cymru says this led to sloppy provisioning where the threat actors brought new command and control servers online before other infrastructure was enabled, causing communication to break.
“Unlike the other C2s we’ve tracked which were registered an average of 31 days prior to being used in a campaign, this domain was the first to be registered only one day before it was a C2,” the researchers explained.
“It was assigned to this IP the day of the campaign, which is normal, but T2 communications appear to have never been set up. Potential victim traffic is hitting the C2, but it goes nowhere.”
While it’s good to see an erosion of infrastructure for the malware campaign, end users cannot rely on this to prevent infection.
As always, the best way to minimize the chances of an IcedID infection is by carefully reviewing incoming emails for signs of fraud or phishing and treating all unsolicited communications with suspicion.