During the coronavirus pandemic, several malware developers and operators have been attempting innovative ways to upgrade their arsenal and sharpen their attacks. Lately, the operators of the IcedID banking trojan, also known as BokBot, have also worked to enhance its obfuscation techniques.
It has been found that IcedID operators are now using password-protected email attachments, keyword obfuscation, and simple macro code to evade detection.
- The new attack campaign uses spam emails that purport to come from the accounting department of known businesses.
- The emails come with an attached password-protected zip file. The password protection is designed to prevent anti-malware analysis software from decrypting and analyzing the hidden malicious capabilities.
- The email body contains the password needed to open the zip file. The content is crafted in a way that helps bypass spam filters or phishing detection systems.
- This file contains a malicious Word document with macros designed to dowload the malware. So, part of the trick is to convince users to enable macros in Microsoft Office.
The DLL trick
To further dodge detection by anti-malware solutions, the IceID trojan uses a dynamic link library (DLL) as a part of its second-stage payload.
- The malicious DLL file is downloaded from an IP address located in Russia. This malicious file is also saved as a PDF to maintain persistence.
- When the second stage gets executed, it downloads the IcedID main module as a PNG file, spawns a msiexec.exe process, and injects the trojan into it.
- In mid-June 2020, a new version of IcedID trojan was found spreading across the U.S., leveraging the COVID-19 pandemic and the Family and Medical Leave Act (FMLA) as their theme.
- In May, the Valak malware was seen collaborating with IcedID and Ursnif malware, to target entities in the U.S. and Germany.
The developers of IcedID trojan have been continuously putting efforts in the evolution of this malware. And for this obvious reason, they are eager to capitalize on their efforts by earning profits via stolen banking credentials. In order to defend against it, security teams are recommended to be vigilant of malspam campaigns, keep a watch on their financial assets, and employ effective security tools to detect and block such malware threats.