{"id":18608,"date":"2022-03-28T13:40:11","date_gmt":"2022-03-28T21:40:11","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/28\/news-12341\/"},"modified":"2022-03-28T13:40:11","modified_gmt":"2022-03-28T21:40:11","slug":"news-12341","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/03\/28\/news-12341\/","title":{"rendered":"Spoofed Invoice Used to Drop IcedID"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Thanks to Val Saengphaibul and Fred Gutierrez who helped contribute to this blog.<\/i><\/p>\n<p><b>Affected Platforms:<\/b> Windows<br \/> <b>Impacted Users:<\/b> Windows users<br \/> <b>Impact: <\/b>Compromised machines are under the control of the threat actor<br \/> <b>Severity Level: <\/b>Medium <\/p>\n<p>Spearphishing crafted with industry-specific terms derived from intelligence gathering techniques to trick a recipient into opening a file is especially difficult to identify. This is especially true when an adversary has knowledge of how a business works and the processes that underpin it. Using this knowledge, a lure can be crafted that takes advantage of these day-to-day processes \u2013 for example, settling the cost of a fuel transaction.<\/p>\n<p>FortiGuard Labs recently encountered such a scenario, where a fuel company in Kyiv, Ukraine received a spearphishing e-mail that contained an attached invoice\u2014seemingly from another fuel provider\u2014that was spoofed. The attachment is a zip file that contains the IcedID Trojan.<\/p>\n<p>IcedID has been observed as far back as 2017. Its primary function is to steal banking credentials and personal information. It is also capable of deploying additional malware from the same group or partner organizations.<\/p>\n<p>This instance also uses an interesting deployment method. It uses the ISO format, which is mounted automatically as a disk in Windows. ISO files can also be used to create bootable CD-ROMs or install an operating system or virtual machine. It also contains a LNK (shortcut file) used to launch a DLL (Dynamic-link Library).<\/p>\n<p>This blog details the infection process and subsequent malware deployment by the threat actors behind IcedID.<\/p>\n<h2><b>The Phishing E-mail<\/b><\/h2>\n<p>The e-mail originated from an IP address in Belize, at 179[.]60[.]150[.]96. It spoofs the originating e-mail address to appear to have been sent from another fuel provider in Ukraine. The e-mail contains both English and Ukrainian elements and looks realistic given the mention of extra security measures regarding the attachment.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image.img.png\/1648489887167\/img1.png\" alt=\"Example of Phishing e-mail.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Phishing e-mail.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Attached to the e-mail is a file named \u201cinvoice_15.zip\u201d. Extracting the Zip file will drop \u201cinvoice_15.iso\u201d and begin the first phase of infection.<\/p>\n<h2><b>ISO<\/b><\/h2>\n<p>Windows is capable of mounting iso files as external disks. Doing so will present the user with a shortcut called \u201cdocument.\u201d In most cases, the file extension will be hidden from the user, making it appear as an actual document.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_2065500851.img.png\/1648489928801\/img2.png\" alt=\"Screenshots shows ISO file with contents hidden.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. ISO file with contents hidden.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When the full contents of the iso container are revealed, a DLL file can also be seen.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_1464906062.img.png\/1648489966948\/img3.png\" alt=\"Full contents of the ISO file.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Full contents of the ISO file.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>LNK<\/b><\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_1964686593.img.png\/1648489992079\/img4.png\" alt=\"Shortcut details.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Shortcut details.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As seen in Figure 4, the shortcut file was created some time prior to the sending of the phishing e-mail. Additionally, the highlighted area shows what will occur should the shortcut be clicked on by a user.<\/p>\n<p>In this case, Regsvr32 is used to register \u201cmain.dll\u201d with the Windows registry and launch the code contained within. This action begins the next phase of infection.<\/p>\n<h2><b>Dropper<\/b><\/h2>\n<p>\u201cmain.dll\u201d acts as a dropper for IcedID. Static analysis of the file reveals an interesting point.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_483182122.img.png\/1648490030956\/fig5.png\" alt=\"Example of strings embedded in \u201cmain.dll\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Example of strings embedded in \u201cmain.dll\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>What at appears at first glance to be an easy win for IOCs (Indicators of Compromise) because it contains a domain and IP address, turns out to be slightly more complicated.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_820091711.img.png\/1648490070453\/img66.png\" alt=\"Code represented in IDA Pro showing the information from Figure 5.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Code represented in IDA Pro showing the information from Figure 5.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In comparing the area of code where the strings in Figure 5 are stored, we find that this area is not called by any functions within \u201cmain.dll\u201d. To illustrate this, the right-hand side of the very first line in Figure 6 contains \u201cData XREF:\u201d. This indicates that it is referenced elsewhere in the code. The strings from Figure 5, however, do not include this information, indicating they are not.<\/p>\n<p>By investigating further, the story becomes even more interesting. This code appears in a StackOverflow question from approximately 10 years ago concerning an issue about downloading an image over HTTP (<a href=\"https:\/\/stackoverflow.com\/questions\/9389183\/downloading-a-picture-with-http-get-only-downloads-a-small-part-of-it\" target=\"_blank\">https:\/\/stackoverflow.com\/questions\/9389183\/downloading-a-picture-with-http-get-only-downloads-a-small-part-of-it<\/a>). It should be noted that there is no malicious intent with the content of that posting.<\/p>\n<p>That it is now part of \u201cmain.dll\u201d indicates it is a decoy for analysts in the hope the actual indicators won\u2019t be blocked.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_831026654.img.png\/1648490103782\/img7.png\" alt=\"Information gathering by IcedID.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Information gathering by IcedID.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen in Figure 7, once running, the malware uses several Windows command-line tools to obtain information about the local environment. These include capturing the local IP address (ipconfig), enumerating domain trusts (nltest), and capturing a list of domain administrators (net group), among others.<\/p>\n<p>The sample then tries to communicate outbound to a command and control (C2) server. There are multiple addresses the malware can connect to in the event one of the destinations becomes unavailable.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_1146312932.img.png\/1648490140200\/img8.png\" alt=\"Figure 8. Network communication.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Network communication.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_1885940633.img.png\/1648490152569\/img9.png\" alt=\"Figure 9. HTTP GET request.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. HTTP GET request.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>If a connection to a C2 server has been made, the malware then moves to ensure persistence. It installs a copy of itself in the user\u2019s temp directory, \u201c%APPDATA%localtemp\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image_975575564.img.png\/1648490179165\/omg10.png\" alt=\"Figure 10. Dropping \u201cArur.exe\u201d into the Temp directory.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Dropping \u201cArur.exe\u201d into the Temp directory.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Conclusion<\/b><\/h2>\n<p>Threat actors that are knowledgeable of their targets are able to increase their chances of installing an implant within an organization. Based on our observations, the efforts used in this IcedID attack highlight the groups methodical effort, as evidenced by their research of Ukraine&#8217;s retail fuel industry. Additionally, the use of uncommon deployment methods (zipped ISO file) to establish a foothold\u2014and ultimately gain persistence within an organization\u2014reveals how crafty the threat actors are able to be to obtain unauthorized access.<\/p>\n<h2><b>Fortinet Protections<\/b><\/h2>\n<p>All IcedID samples mentioned in this blog are detected by the following (AV) signatures:<\/p>\n<p style=\"margin-left: 40.0px;\">W32\/Kryptik.HOTN!tr<br \/> W64\/Kryptik.CXY!tr<br \/> W64\/Kryptik.CXY!tr<br \/> W64\/Kryptik.CXY!tr<br \/> LNK\/IceID.AW!tr<br \/> W64\/Kryptik.CXY!tr<\/p>\n<p>All network based URI\u2019s are blocked by the WebFiltering client.<\/p>\n<p>Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:<\/p>\n<p>The\u00a0<a href=\"https:\/\/www.fortinet.com\/products\/phishing-simulation\">FortiPhish Phishing Simulation Service\u00a0<\/a>uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.<\/p>\n<p>In addition to these protections, we suggest that organizations also have their end users go through our\u00a0FREE\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from various types of phishing attacks.<\/p>\n<h2><b>IOCs<\/b><\/h2>\n<h2><b>Network IOCs:<\/b><\/h2>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"375\">\n<tbody>\n<tr>\n<td width=\"375\" valign=\"bottom\">\n<p>160[.]153[.]32[.]99<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"375\" valign=\"bottom\">\n<p>160[.]90[.]198[.]40<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"375\" valign=\"bottom\">\n<p>yourgroceries[.]top<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"375\" valign=\"bottom\">\n<p>ssddds1ssd2[.]com<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"375\" valign=\"bottom\">\n<p>ip-160-153-32-99[.]ip[.]secureserver[.]net<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/spoofed-invoice-drops-iced-id\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-invoice-drops-iced-id\/_jcr_content\/root\/responsivegrid\/image.img.png\/1648489887167\/img1.png\"\/><br \/>FortiGuard Labs discovered a spearphishing email for a Ukrainian fuel company with an attached invoice\u2014seemingly from another fuel provider\u2014that contains the IcedID Trojan. Read to learn more about the infection process and subsequent malware deployment by the threat actors behind IcedID.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18608","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18608"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18608\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}