A sudden surge in the activity of IcedID email hijacking was identified by security researchers. IcedID, a.k.a. BokBot has been operating since 2017. A gradual evolution has led this malware from being a regular banking trojan to a sophisticated payload that hijacks ongoing email conversations and injects malicious code through a network of compromised Microsoft Exchange servers.
The previously used macros in Word documents have been replaced by the attackers with ISO containing Windows LNK and DLL files that, when executed together, evade detection and run quietly without the victim being aware of it. The most frequently targeted regions include the legal, healthcare, pharmaceutical, and energy sectors. The primary goal is gaining initial access which is then being sold to other adversaries.
The latest Sigma-based detection rule for spotting the activity of IcedID defense evasion is written by our Threat Bounty developer Osman Demir. Log into your SOC Prime account or sign up for the platform to access the code along with relevant cyber threat intelligence:
This detection item is translated into the following SIEM, EDR & XDR formats: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, LimaCharlie, Sumo Logic, ArcSight, QRadar, Humio, Microsoft Defender for Endpoint, CrowdStrike, Devo, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, AWS OpenSearch.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic and Signed Binary Proxy Execution (T1218) technique.
IcedID was first documented by IBM in 2017 and since then, adversaries have been improving their techniques and malware modifications. You can see the comprehensive list of detection algorithms available in the SOC Prime’s Detection as Code platform to continuously protect your infrastructure against complex cyber threats. And if you have expertise in this field, you can contribute to publishing content on our platform as well, gaining monetary rewards for making the cyber world a safer place.
IcedID payload delivery starts with a phishing email. The message prompts a user to download and unpack an attached ZIP archive that is also protected with a passcode given in the body of the message. As we mentioned before, this email comes as a reply to an ongoing conversation thread, having a legitimate sender’s address. But in reality, this is a forged message from a compromised Microsoft Exchange server.
The contents of a malicious ZIP archive include a single ISO file, which, respectively, contains two files: DLL and LNK. According to timecodes, the DLL file is usually newer than LNK that’s why researchers suggest that LNK files could be used in a few phishing emails. The DLL comes with an embedded icon which makes it look like a document. Upon clicking on it, the IcedID loader starts its execution and downloads the main IcedID payload.
By decompiling the API hashing function, the loader locates the payload, decrypts it, puts it in the device’s memory, and executes. After that, the IcedID GZiploader can send requests to a command and control (C&C) server and get responses.
IcedID campaigns gained a new level of technical sophistication in March 2022, utilizing commodity packers and multiple stages to disguise the activity of IcedID info-stealing malware. Embrace the power of collaborative defense by joining SOC Prime’s Detection as Code platform and unlocking instant access to the most up-to-date detections on the fly.