Tracking Emotet payload: IcedID

Friday, November 17, 2017
IceID Trojan Fidelis

In June 2017, Fidelis Cybersecurity was alerted to a new banking trojan that appeared to be doing very small delivery campaigns for testing purposes. This malware has since been named IcedID by IBM(1), and remains alive in an ongoing development cycle. IBM’s own report provides a good overview of the malware, and as such our report is meant to provide supplementary research to the community.

Key Findings

  • IcedID, active since at least June 2017, continues to be an active threat today.
  • In July 2017, IceID was updated to include spreader functionality.
  • We include the target list, bot history, and encoding mechanism details to extend community knowledge.

That early instance of IcedID was using a crypter not seen before, and as such we wrote a detection in order to find additional samples or a potential delivery mechanism. That effort resulted in roughly 30 additional samples using the same crypter spread out across a few malware families. Tracking the crypter led to a number of Emotet samples, which after pulling payloads for a few weeks we managed to get a IcedID delivery from Emotet confirming suspicions of Emotet delivery based on crypter reuse, along with IBMs reporting of Emotet deliveries.

Early instances of IceID:

The bot is setup to either accept no parameters or a switch parameter of /w or /s. The parameter ‘/s’ causes the bot to skip establishing persistence, while the parameter ‘/w’ is used by the unhandled exception filter setup by the bot to restart itself.

Ztrak 1

Figure 1 Command Line Parameters

Strings in the malware are encoded with a custom XOR routine with a DWORD xor key that gets permutated for each byte iteration on the encoded string. Below is IDA python code to decode the string:

Figure 2 String decoding

The decoded string output is shown below:

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Run
C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority  - G5
CN=.com
%0.8X.tmp
HTTP/1.1 200 OK
Content-Length: %i
Connection: close
%u           %u           %s
%s /test.php?%c=%u&%c=%0.8X%0.8X%0.2X&%c=%u&%c=%u
&%c=%u&%c=%u&%c=%u&%c=%u&%c=%u
application/x-www-form-urlencoded
 HTTP/1.1
Connection: close
Content-Type: %s
Content-Length: %u
Host: %s
%u.%u.%u.%u.%u.%u
%0.8X%s
D:(A;;GA;;;WD)(A;;GA;;;AN)S:(ML;;NW;;;S-1-16-0)
RuntimeBroker.exe
GET /data.php?
 HTTP/1.1
Host: 127.0.0.1
Upgrade: websocket
Connection: Upgrade
tmp%0.8X01.dat
Software\Classes\CLSID\

 

The onboard config, C2 list, and needed RSA public keys are also stored in an encoded form. These are decoded with a different routine shown here:

Figure 3 Other data decoding

Initial C2 communications contains the parameters k=<computername>&l=<network name>, along with OS information. The return data will be a list of numbers, each one corresponding to a unique command to run. The malware performs a lookup by taking the number and using it as an index into a jump table.

Figure 4 Jump table for C2 commands

Some available commands include:

  • Pull target list
  • Update C2 list
  • Update
  • Winexec
  • Pull down process information
  • Initiate VNC
  • Read registry data
  • Start deleting files from current directory

The remaining C2 communications are encoded by having an 8 byte RC4 key prepended to an RC4 encrypted blob. Once decrypted, the blob of data has a 4 byte marker (‘zeus’) followed by a 4 byte length value. The rest of the data is then decompressed depending on the header, either GZIP or DEFLATE is used skipping the GZIP section if no GZIP header is found. This decompressed data will then have an RSA signature hash on top of it when the returned data is an updated list of C2s.

Figure 5 Decode RSA Public key and Check Signature

C2 data is stored locally in then registry using a technique reminiscent of Vawtrak, where it takes some hardcoded strings and mutates these strings along with a DWORD based on computer data. Instead of creating a pseudo random string like in Vawtrak, this malware instead MD5 hashes the string, and then updates the hash with the computer DWORD value,and then finally produces a unique hash which is turned into a QUID for data storage in ‘Software\Classes\CLSID\’. This data is encoded just like the blobs of data from inside the malware itself, except the DWORD key is the computer based DWORD.

Hardcoded String

Data

*cfg0

Target list

*cfg1

Webinjects

*rtd

C2 list

*bc*

VNC Dlls

 

Spreader Update:

In early July another version of this malware was seen with two immediately noticeable additions. For one, the data section of the binary was now encoded to completely hide any and all strings. After decoding this section, the strings previously seen were still encoded in the same manner as the earlier version.

In addition to encoding its data section, there was also a new command present, a spreading command. There are additional encoded strings related to the report it builds as it attempts to brute accounts and spread.

 

[WORM] Start
[WORM] InDomain
[WORM] InDomain = %u
[WORM] InLan
[WORM] End
[WORM] AD Admin List %p
[WORM] AD Admin Brut Fail
[WORM] AD Admin Brut U:%ws P:%ws
​[WORM] I'm Dom Admin
[WORM] AD PC List %p

 

 

Password list for bruting:

Figure 6 Bruting Password List

The spreading component to this banker was added very closely to the same time period as Emotet added their first version, however code comparison showed that it was quite a bit different.

At this point we began closely monitoring the infrastructure and webinject target lists, such as their addition of lik0sa1.com to the webinjects on 13 Oct. This information is parsed and detailed in the tables that follow.

15-Jun-17

Webinject/Fakes C2s

 
 

securefinance.net

Targets

 
 

adp.com

 

wellsfargo.com

 

amazon

 

americanexpress.com

 

bankofamerica.com

 

chase.com

 

citi.com

 

discover.com

 

gmail

 

hotmail

 

outlook

   

30-Jun-17

Targets added

 
 

\/(pbi_pbi|PBI_PBI|ebc_ebc|EBC_EBC)1961\/

   

10-Jul-17

Webinject/Fakes C2s

 
 

payfinance.net

   

16-Aug-17

Targets removed

 
 

gmail

 

outlook

 

hotmail

Inject changed

 
 

Wellsfargo

   

6-Sep-17

Regexs Changed

 
 

americanexpress

 

wellsfargo

 

amazon

 

chase

 

bankofamerica

   

13-Sep-17

Targets added

 
 

gmail, outlook,hotmail added back in

18-Sep-17

Targets added

 
 

tdbank

   

26-Sep-17

Targets added

 
 

bbt.com

   

11-Oct-17

Targets added

 
 

key.com

 

jpmorgan.com

 

citibusiness

 

bankofamerica cashpro

 

wellsfargo wellsoffice

   

13-Oct-17

Webinject/Fakes C2s

 
 

Webinjects added for lik0sa1.com for bankofamerica

   

24-Oct-17

Targets added

 
 

citicard

   

27-Oct-17

Targets added

 
 

verizonwireless.com

   

3-Nov-17

Targets added

 
 

virwox.com

 

IOCs:

1cd6f992fbeee0a66e1c329e15db71fe891ae0e845867d6d30df867babe5bed6

f3c98c0dce4e114ba1756da299c48a9430b9df93f2c3d030d21096b5d2418c7b

 

mytimearena.com
myzonearena.com
myareantime.com

IP used and date noted:

185.98.86.55

26-Jun-17

185.127.26.227

26-Jun-17

82.146.40.253

17-Jul-17

185.5.251.33

4-Oct-17

Jason Reaves,
Principal Threat Researcher

References:

  1. https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

 

Vawtrak Trojan: Bank on it Evolving Emotet takes wing with a spreader Emotet Evolution: The Spreader Gets Integrated