Operators behind the IcedID trojan are leveraging a variety of tactics in an attempt to determine what works best against different targets. According to researchers, the attackers had launched several campaigns in September, all of which used different infection pathways, believed to help them evaluate the effectiveness of malware delivery methods.
Diving into delivery tactics
Between September 13 and 21, researchers at Team Cymru noticed different methods used to deliver IcedID trojan on targeted systems.
- A majority of the delivery methods leveraged password-protected ZIP files to launch malicious files in the initial stage of the infection chain.
- While some of these ZIP files led to the download of an LNK file that launched either a CMD or BAT script, a few other ZIP files contained an ISO that ultimately launched the DLL file and completed the infection process.
- In some cases, users received either a malicious Word or Excel file that asked them to enable macros, which then allowed the embedded script to execute and install IcedID.
Domain reuse and time-framing IP addresses
Besides using a variety of files, the operators were also found experimenting with IP addresses and domain reuse for their C2 servers.
- The attackers were found registering fresh domains for C2, instead of relying on the old ones.
- Another notable change observed was the shorter span of the IP addresses used for the C2 server, which also enabled the attackers to evade detection. Previously, they used unique IPs for each campaign.
Delivery through PrivateLoader
Delivery of the trojan through PrivateLoader was also observed in multiple instances. The malware loader was distributed by hiding it in free software for games that looked convincing to users.
Potential victims
English and Italian speakers were the primary targets of these campaigns. While the Italian lure was in the form of a malicious doc file, English targets were lured using a password-protected ZIP file. Additionally, researchers indicated that threat actors had used a variety of malicious docs as lures to target their victims and this may influence their future actions.
Conclusion
As all the delivery methods are initiated via phishing emails, the best way to minimize the chances of infection is by carefully examining incoming emails. Users must look for signs of fraud or phishing and treat all unsolicited email communications with caution. Furthermore, one of the effective ways to quickly detect, and mitigate phishing attacks is by leveraging the threat intelligence operationalization and automated response capabilities of cyber fusion centers (CFCs).
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0927_shutterstock_370707185.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_28689256_MEDIUM.jpg)
