{"id":17084,"date":"2019-12-03T11:10:04","date_gmt":"2019-12-03T19:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/12\/03\/news-10820\/"},"modified":"2019-12-03T11:10:04","modified_gmt":"2019-12-03T19:10:04","slug":"news-10820","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/03\/news-10820\/","title":{"rendered":"New version of IcedID Trojan uses steganographic payloads"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Tue, 03 Dec 2019 18:06:13 +0000<\/strong><\/p>\n

This blog post was authored by @hasherezade, with contributions from @siri_urz and J\u00e9r\u00f4me Segura.<\/em><\/p>\n

Security firm Proofpoint recently published a report<\/a> about a series of malspam campaigns they attribute to a threat actor called TA2101. Originally targeting German and Italian users with Cobalt Strike and Maze ransomware, the later wave of malicious emails were aimed at the US and pushing the IcedID Trojan.<\/p>\n

During our analysis of this spam campaign, we noticed changes in how the payload was implemented, in particular with some code rewritten and new obfuscation. For example, the IcedID Trojan is now being delivered via steganography<\/a>, as the data is encrypted and encoded with the content of a valid PNG image. According to our research, those changes were introduced in September 2019<\/a> (while in August 2019<\/a> the old loader was still in use).<\/p>\n

The main IcedID module is stored without the typical PE header and is run by a dedicated loader that uses a custom headers structure. Our security analyst @hasherezade previously described this technique in a talk at the SAS conference (Funky Malware Formats<\/a>). <\/p>\n

In this blog post, we take a closer look at these new payloads and describe their technical details.<\/p>\n

Distribution<\/h3>\n

Our spam honeypot collected a large number of malicious emails containing the “USPS Delivery Unsuccessful Attempt Notification” subject line.<\/p>\n

\"\"<\/a><\/figure>\n

Each of these emails contains a Microsoft Word document as attachment allegedly coming from the United States Postal Service. The content of the document is designed to lure the victim into enabling macros by insinuating that the content had been encoded.<\/p>\n

\"\"<\/a><\/figure>\n

Having a look at the embedded macros, we can see the following elements:<\/p>\n

\"\"<\/a><\/figure>\n

There is a fake error message displayed to the victim, but more importantly, the IcedID Trojan authors have hidden the malicious instructions within a UserForm as labels.<\/p>\n

\n
\"\"
The labels containing numerical ASCII values <\/figcaption><\/figure>\n<\/div>\n

The macro grabs the text from the labels, converts it, and uses during execution:<\/p>\n

url1 = Dcr(GH1.Label1.Caption)
path1 = Dcr(GH1.Label2.Caption)<\/pre>\n
For example: <\/p>\n
104 116 116 112 58 47 47 49 48 52 46 49 54 56 46 49 57 56 46 50 51 48 47 119 111 114 100 117 112 100 46 116 109 112<\/em>
converts to: http:\/\/104.168.198.230\/wordupd.tmp<\/p>\n
67,58,92,87,105,110,100,111,119,115,92,84,101,109,112,92,101,114,101,100,46,116,109,112<\/em>
converts to: C:WindowsTempered.tmp<\/pre>\n
The file wordupd.tmp is an executable downloaded with the help of the URLDownloadToFileA function, saved to the given path and run. Moving on, we will take a closer look at the functionality and implementation of the downloaded sample.<\/p>\n
Behavioral analysis<\/h3>\n
As it had before, IcedID has been observed making an injection into svchost<\/em>, and running under its cover. Depending on the configuration, it may or may not download other executables, including TrickBot<\/a>.<\/p>\n
Dropped files<\/h4>\n
The malware drops various files on the disk. For example, in %APPDATA%, it saves the steganographically obfuscated payload (photo.png<\/em>) and an update of the downloader:<\/p>\n
\"\"<\/figure>\n
It also creates a new folder with a random name, where it saves a downloaded configuration in encrypted form:<\/p>\n
\"\"<\/figure>\n
Inside the %TEMP% folder, it drops some non-malicious helper elements: sqlite32.dll<\/em> (that will be used for reading SQLite browser databases found in web browsers), and a certificate that will be used for intercepting traffic:<\/p>\n
\"\"<\/figure>\n
Looking at the certificate, we can see that it was signed by VeriSign:<\/p>\n
\"\"<\/figure>\n
Persistence<\/h4>\n
The application achieves persistence with the help of a scheduled task:<\/p>\n
\"\"<\/a><\/figure>\n
The task has two triggers: at the user login and at the scheduled hour.<\/p>\n
Overview of the traffic<\/h4>\n
Most of the traffic is SSL encrypted. We can also see the use of websockets and addresses in a format such as “data2php?<key><\/em>“,  “data3.php?<key><\/em>“.<\/p>\n
\"\"<\/figure>\n
\"\"<\/a><\/figure>\n
Attacking browsers<\/h4>\n
The IcedID Trojan is known as a banking Trojan, and indeed, one of its important features is the ability to steal data related to banking transactions. For this purpose, it injects its implants into browsers, hooks the API, and performs a Man-In-The-Browser attack<\/a>.<\/p>\n
Inside the memory of the infected svchost<\/em> process we can see the strings with the configuration for webinjects. Webinjects are modular (typically HTML and JavaScript code injected into a web page for the purpose of stealing data).<\/p>\n
\"\"
Webinjects configuration in the memory of infected svchost<\/figcaption><\/figure>\n
The core bot that runs inside the memory of svchost<\/em> observes processes running on the system, and injects more implants into browsers. For example, looking at Mozilla Firefox:<\/p>\n
\"\"
The IcedID implant in the browser’s memory<\/figcaption><\/figure>\n
By scanning the process with PE-sieve<\/a>, we can detect that some of the DLLs inside the browser have been hooked and their execution was redirected to the malicious module.<\/p>\n
In Firefox, the following hooks have been installed:<\/p>\n