On April, 14, the Computer Emergency Response Team of Ukraine (CERT-UA) issued a new heads-up that warns of an ongoing cyber-attack leveraging the infamous IcedID malware designed to compromise Ukrainian state bodies. The detected malware also dubbed as BankBot or BokBot is a banking Trojan primarily designed to target financial data and steal banking credentials.
With a medium level of confidence, the malicious activity revealed in the latest cyber-attack using IcedID Trojan is associated with the adversary behavior patterns of a group tracked as UAC-0041. In addition to leveraging the above-referenced malware, these threat actors are also known to have applied AgentTesla and XLoader malicious strains in earlier cyber-attacks against Ukrainian critical infrastructure.
IcedID malware first came to light in 2017 targeting US and Canadian banks, and since then it has been applied in a set of adversary campaigns targeting financial institutions, telecom and e-commerce providers, and other organizations around the globe.
Originally, IcedID malware has been designed as a banking Trojan and info stealer, being capable of dumping banking credentials, accessing victims’ financial data, and performing automated malicious transactions. Upon landing on the targeted network, the malware monitors the activity of the devices and launches man-in-the-browser attacks. Typically, such an attack covers three steps, namely web injection, proxy configuration, and redirection. By following this malicious routine, IcedID is able to lure victims by means of social engineering, overcome multi-factor authentication, and access banking accounts. Except for data-stealing capabilities, IcedID is frequently applied as a second-stage malware dropper. Particularly, the latest IcedID campaigns show that the malicious strain is being extensively leveraged to deliver ransomware payloads.
In the most recent cyber-attack on Ukrainian government bodies, the above-mentioned banking Trojan is being distributed via malicious macros that enables running a loader component of the IcedID infection chain and ends up compromising the targeted infrastructure.
To detect the newly discovered IcedID attacks, security practitioners can leverage a set of curated Sigma rules available within an extensive detection stack of SOC Prime’s platform.
To ensure the most convenient content search for the latest UAC-0041 activity, all relevant detections are tagged accordingly as #UAC-0041. Make sure you have registered for SOC Prime’s Detection as Code platform to access the detection algorithms referenced above.
Moreover, security practitioners can search for IcedID-related threats in their cloud-native environment via SOC Prime’s Quick Hunt module using all the above-mentioned detections.
In this blog article, we’ve also covered the context of the latest cyber-attack involving the distribution of the nefarious IcedID malware based on the MITRE ATT&CK framework and adversary TTPs. To provide the relevant context, all dedicated Sigma-based detection rules are aligned with the latest ATT&CK framework version addressing the related tactics and techniques:
Scheduled Task/Job (T1053)
Command and Scripting Interpreter (T1059)
Signed Binary Proxy Execution (T1218)