Indicators of Compromise Associated with IcedID

Fortify Security Team
Sep 28, 2021

FBI reporting has indicated a recent increase in IcedID malware acting as a “dropper,” infecting victims with additional malware. Examples of ransomware variants dropped by IcedID include Defray777, GlobeImposter, Cuba, Conti, and REvil (aka Sodinokibi). First reported in late 2017, IcedID (also known as BokBot) has been known as a banking trojan that targets victims with a redirect attack. When a victim uses an infected computer to access an online banking platform, IcedID redirects victims to a visually identical fake banking website. The fake website solicits login credentials from the victim and then shows an error message, leading the victim to believe the website is malfunctioning. Meanwhile, the actor(s) behind the fake website obtain and use the user’s credentials to access the victim’s bank account.

Initial IcedID infections often result from emails containing a zipped Microsoft Excel or Word document with a generic name and possibly a date. The password for the zipped file is in the content of the email. The Excel or Word document has a graphic stating it was created in an older version of Excel or Word and requests the user click “Enable Content” in order to display the document. Cyber actors also target organizations by embedding malicious “Contact Us” links into emails through public domains. Cyber actors deliver IcedID using Emotet, Trickbot, and TA551 (also known as Shathak and GoldCabin). TA551 is an email-based malware distribution campaign that has exclusively pushed IcedID since mid-July 2020.

Through industry partners and open source information, the tier one C2 domains are easily identifiable and fall into two to three different categories. While naming conventions differ by researcher, the first set of tier one C2 domains stage the initial component of the IcedID malware, which is pulled down to a victim by the malicious Microsoft Word or Excel attachments. These C2s are typically valid for approximately 24 hours. The second set of tier one C2 domains stage the GZIP loader that is pulled down to a victim by the initial IcedID component. These C2s are also valid for approximately 24 hours. The final set of tier one C2 domains are the core or victim (bot) control C2s. These C2s change less often and can be valid for two or more weeks.

For the second tier of infrastructure, there are two different components: inject panel domains and tier 2 servers or proxies. Inject panel domains control which web injects, or fake websites, the victim will be targeted with. These domains are likely proxies to higher tiered infrastructure. Tier 2 servers are proxies between the tier one C2 domains of all types and the backend infrastructure at higher tiers. As of the date of this FLASH, the use of web injects by IcedID has significantly dropped, and these domains are less likely to be seen by victims. Instead, the FBI has identified an increased use of tier 2 servers or proxies to target victims.

Indicators of Compromise
Victims of IcedID may see C2 domains in their network traffic. IcedID C2 domains change frequently, and are only active for short periods. Network defenders should visit trusted security vendor websites or blogs for current or breaking information.

The following are characteristics of an IcedID compromise:

C2 Domains Distributing IcedID Payload on or after August 1, 2021
2kilozhiraffe.club
3aseruty.pw
accessfin.top
adjacentlim.top
alohawestka.top
amenigmals.club
aristomosuga.top
attemptssok.top
attemptssok.topdefaultsbest.top
bookmaker.bid
defaultsbest.top
dependssok.top
derrillo.website
describedsit.top
dilinfilino.top
dollinopole.uno
dredgedlim.top
eitherwayinc.buzz
emergesit.top
erraizinbig.top
eudimalinka.club
footballer.bid
generatedmas.top
gerimoling.club
gigamerolini.top
grandopoop.buzz
grandopoop.top
hamaderoning.club
hanonedika.club
hanonedika.top
hardwarebest.top
humadiscifil.top
indiaalliea.site
kawnosilicon.top
lusinobig.top
magicolipka.top
malinativation.top
mammucity.fun
nocelmozzvi.top
numericmas.top
onokdaynekti.top
operatingbest.top
oscanonamik.top
otherwisesit.top
ovninaysozidu.top
owesureoma.top
pastwestbi.top
pozityv3.pw
pricelipfo.top
qwasterni.top
qwesilinin.top
removingsok.top
renewersilti.top
requiringsit.top
sabodilnk.top
safiliti.top
sawerty.site
shouldbest.top
simplifiedtin.top
solgarstat.top
somefildrea.club
sometimestin.top
spinoschirkovni.buzz
thewormyany.top
tinanbig.top
tiplifid.top
towigetibig.top
unodostres.uno
valuemas.top
vertigiodust.top
vigaurmilonika.top
vironmenfin.top
viryigamaps.top
wanomansa.top
whoreviki.top
wiskotoniks.club
withoutilin.top
wornimyahter.top
wuilburrtennant.site
xanderboghart.cyou

 

Hash Values of IcedID BInaries as of August 1, 2021
02f355e20922fb9f325569f7bb3466587823b799ae4a43bf715ee92864d0bd74
11be3a269a06b23158afb18561fb7c059f3105d1d37ddfec980899e296dc267e
1469b1b33aa7feb7c0cdf521ec0ca75d55f6f9d82d5b4dbcd542b84493b8630f
1f801574e7b629fa7ec1d100c57939e15ea773bd226f20d067fff0958bc90b53
2af6b1f530a7f79fc8c413612cab21c539a9678e899da06a648aff1b7f937d11
2f6392ed7bf24a4618ff1709a6c8ecc9c5b77aee3714a4770bf5c11cb7bbe4ec
3751f2293918f941b2a2b996334c4ea2e1240085603f3a29eed55a7c7063089d
43a6a73b76e865ce40f8d61ffd2e961990122c190d7a76af334ddf1182f78137
4dae02681b1017f1812bcb4d2a76287b1f4f3c1875ffbd17a8fc0a8b63841a00
5b3791467736f1092e34142c22aabc83f681542c414c51115cbab4bcd7c17c31
5d3f0b80abe170490ec273503c2f8f70ce5b927081c20ca8b54bc51ad40c3090
7329123e59fb3115b08ea8c93f1f09aba7bb384102dcfa643c4dec4b34919cac
78d1e981d0bbab1ba77ce030cdf8dda1a73ae1f86dd2e3fff1bf0f9ceb03482e
88ed555efa8022e77f66f753a17d03ce3c043cc84c6382aeaabb4b957a4871f1
a0a2c1bcf4275e486c1c385eda0ecf58718f52061d29bea7192f0a2af3005709
a9fba3719e22b8a1802ac347f126379249b6137e6f0352b8327784262b9eefd3
b382d0e1a2144d519e9dfff537474d314b68872665a3c773a56a14e1b2ea271f
c7664e3275a391d92bb2b98ace52725e7e4007536b6944f59f147f0d31f1b66e
d4804d424161118b1f6d4d1106b6ed8881be23d8078e2d6f9da84dfdc1c34d92
ea0fb0dc663dcb83869c83db63565e8e69a1caac665f789a58b1c98b7ecd64e0
f3e6e34b2d96164ff15a44f84667bebd4cddfffb74ad743eb1165dc1d00ea1ce
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
f80a9594cd2e0296f0dd4394bd42a1aa31f75d8b7d6cae64fd8b9d00ffdd36ba
f8a4cf697ec22aa21167254cf454e0cfadad087b23781b10f5c5ee7c8cd52afa

 

Recommended Mitigations

  • Be wary of thread hijacking, where actors reply to legitimate previous conversations within a victim’s email in order to send additional phishing emails within a network from the victim’s account. If receiving a zipped document from an email previously communicated with, verify the document originated from the sender via another form of communication.
  • Be wary of the “Enable Content” feature in Microsoft attachments. Clicking this button enables the IcedID payload to download to a victim machine.
  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Use two-factor authentication with strong passwords, including for remote access services.
  • Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.
  • Keep computers, devices, and applications patched and up-to-date.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Review the following additional resources.
    • The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
    • The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center Joint Ransomware Guide covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.
    • gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.

 

If your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.

  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
  • Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

Recent Posts

Maui Ransomware – Technical Details

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare and Public Health (HPH) Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for...

MedusaLocker Ransomware Technical Details

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

Karakurt Data Extortion Group

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide...

CVE-2022-30190 aka Follina

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

Ragnarlocker Ransomware IOCs

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data....

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...