diff --git a/TA551/2020-09-21-TA551-IOCs-for-IcedID.txt b/TA551/2020-09-21-TA551-IOCs-for-IcedID.txt index c8f97789..8177acd1 100644 --- a/TA551/2020-09-21-TA551-IOCs-for-IcedID.txt +++ b/TA551/2020-09-21-TA551-IOCs-for-IcedID.txt @@ -1,60 +1,60 @@ -2020-09-21 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID: - -CHAIN OF EVENTS: - -- malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE - -12 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID: - -- 9f240737183f8b52fc33daa475e11a3fc0655538728e56edc71ff49626549ada certificate 09.20.doc -- 2d2f0a3e263c64c98457a3d4bce8a22d53d1c7f9c2326dcdd1578cb5037587fe commerce -09.21.2020.doc -- 3e12c287478608aafc8ef1abeba25c526863e9e47d78d314cfc20077d73ae653 commerce ,09.20.doc -- 562956706eb0b658fcad5f23d11c4a8670dda18666b04bf7127f9b1ac1be8907 docs.09.21.20.doc -- 2925f852e2fc04c4849b5e47306373837305d9bf003e79ceb08762b505759259 document,09.20.doc -- 0f9ae46bd910f799fd11c5cc46f7c3ffbc0a2f7280cc3fe867b763a5f5f64258 inquiry_09.20.doc -- c37dd0bbd07f3acedf516c07c3fdc023b0ba5082c3959ddda9498fa6c52df09f instrument_indenture,09.20.doc -- ad33adc035c689f4ab8f1d3cd49027b9ef804bb60c9a44bff2be585c02e794b3 legal agreement 09.21.2020.doc -- 749140091ae47c29826a9f92a19381e060eff987299c2eb521f9ce833b2954f2 material_09.20.doc -- c388475c08bcac2336e8b1efdf524d12a6194818e3c8194516b953fba654ac8f prescribe 09.20.doc -- 8e9e0af52ff82cdc71e27bf27b157ef3adc00d3078a949d4deeb16a5e4225874 require 09.21.2020.doc -- c3da3134de3b14d168e4e0f29c7c893ff3920b9d5ed6e566e0e15c4348ad9659 statistics,09.20.doc - -AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL: - -- csxciyt[.]com - 83.166.214[.]17 -- dsb5vd[.]com - 185.159.129[.]44 -- f9pv81[.]com - 185.219.40[.]246 -- hq1m7wt[.]com - 37.230.117[.]49 -- ldzcb4[.]com - 185.135.81[.]234 -- lkcij4k[.]com - 185.87.51[.]204 -- k21ddmo[.]com - 212.109.221[.]95 -- mwd3sq[.]com - 194.31.237[.]38 -- q9d2ya[.]com - 80.87.197[.]19 -- rb16q6a[.]com - 89.223.100[.]173 - -URLS FOR ICEDID DLL: - -- GET /foqa/kucow.php?l=kofo1.cab -- GET /foqa/kucow.php?l=kofo2.cab -- GET /foqa/kucow.php?l=kofo3.cab -- GET /foqa/kucow.php?l=kofo4.cab -- GET /foqa/kucow.php?l=kofo5.cab -- GET /foqa/kucow.php?l=kofo6.cab -- GET /foqa/kucow.php?l=kofo7.cab -- GET /foqa/kucow.php?l=kofo8.cab -- GET /foqa/kucow.php?l=kofo9.cab -- GET /foqa/kucow.php?l=kofo10.cab -- GET /foqa/kucow.php?l=kofo11.cab -- GET /foqa/kucow.php?l=kofo12.cab -- GET /foqa/kucow.php?l=kofo13.cab -- GET /foqa/kucow.php?l=kofo14.cab -- GET /foqa/kucow.php?l=kofo15.cab -- GET /foqa/kucow.php?l=kofo16.cab -- GET /foqa/kucow.php?l=kofo17.cab -- GET /foqa/kucow.php?l=kofo18.cab - -12 EXAMPLES OF ICEDID INSTALLER DLLS: - +2020-09-21 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID: + +CHAIN OF EVENTS: + +- malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE + +12 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID: + +- 9f240737183f8b52fc33daa475e11a3fc0655538728e56edc71ff49626549ada certificate 09.20.doc +- 2d2f0a3e263c64c98457a3d4bce8a22d53d1c7f9c2326dcdd1578cb5037587fe commerce -09.21.2020.doc +- 3e12c287478608aafc8ef1abeba25c526863e9e47d78d314cfc20077d73ae653 commerce ,09.20.doc +- 562956706eb0b658fcad5f23d11c4a8670dda18666b04bf7127f9b1ac1be8907 docs.09.21.20.doc +- 2925f852e2fc04c4849b5e47306373837305d9bf003e79ceb08762b505759259 document,09.20.doc +- 0f9ae46bd910f799fd11c5cc46f7c3ffbc0a2f7280cc3fe867b763a5f5f64258 inquiry_09.20.doc +- c37dd0bbd07f3acedf516c07c3fdc023b0ba5082c3959ddda9498fa6c52df09f instrument_indenture,09.20.doc +- ad33adc035c689f4ab8f1d3cd49027b9ef804bb60c9a44bff2be585c02e794b3 legal agreement 09.21.2020.doc +- 749140091ae47c29826a9f92a19381e060eff987299c2eb521f9ce833b2954f2 material_09.20.doc +- c388475c08bcac2336e8b1efdf524d12a6194818e3c8194516b953fba654ac8f prescribe 09.20.doc +- 8e9e0af52ff82cdc71e27bf27b157ef3adc00d3078a949d4deeb16a5e4225874 require 09.21.2020.doc +- c3da3134de3b14d168e4e0f29c7c893ff3920b9d5ed6e566e0e15c4348ad9659 statistics,09.20.doc + +AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL: + +- csxciyt[.]com - 83.166.214[.]17 +- dsb5vd[.]com - 185.159.129[.]44 +- f9pv81[.]com - 185.219.40[.]246 +- hq1m7wt[.]com - 37.230.117[.]49 +- ldzcb4[.]com - 185.135.81[.]234 +- lkcij4k[.]com - 185.87.51[.]204 +- k21ddmo[.]com - 212.109.221[.]95 +- mwd3sq[.]com - 194.31.237[.]38 +- q9d2ya[.]com - 80.87.197[.]19 +- rb16q6a[.]com - 89.223.100[.]173 + +URLS FOR ICEDID DLL: + +- GET /foqa/kucow.php?l=kofo1.cab +- GET /foqa/kucow.php?l=kofo2.cab +- GET /foqa/kucow.php?l=kofo3.cab +- GET /foqa/kucow.php?l=kofo4.cab +- GET /foqa/kucow.php?l=kofo5.cab +- GET /foqa/kucow.php?l=kofo6.cab +- GET /foqa/kucow.php?l=kofo7.cab +- GET /foqa/kucow.php?l=kofo8.cab +- GET /foqa/kucow.php?l=kofo9.cab +- GET /foqa/kucow.php?l=kofo10.cab +- GET /foqa/kucow.php?l=kofo11.cab +- GET /foqa/kucow.php?l=kofo12.cab +- GET /foqa/kucow.php?l=kofo13.cab +- GET /foqa/kucow.php?l=kofo14.cab +- GET /foqa/kucow.php?l=kofo15.cab +- GET /foqa/kucow.php?l=kofo16.cab +- GET /foqa/kucow.php?l=kofo17.cab +- GET /foqa/kucow.php?l=kofo18.cab + +12 EXAMPLES OF ICEDID INSTALLER DLLS: + - 1d916a05e07aa61bb84504cd7cf70e920549dde98a3eafebfde3e13d3137df24 - 2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236 - 30ac7415f1cdd5984cdfe15961eb46211c444786c453cfe8525dacd7c76c28b6 @@ -66,58 +66,58 @@ URLS FOR ICEDID DLL: - c24e8099dffe2d9ddebc10b44b6d992043a7a88f0c24bdd7b462e750813dd92e - c53e0f2ba4d0ff61ed41d31cb5671c96ba8a98afbf32f1e76cd88e5061c20370 - d4daab6448cab62e16091169f451e9b455a3607df6ceabccdd0610473d419a6c -- ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d - -EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILE: - -- C:\ProgramData\b467e.pdf -- C:\ProgramData\cbd30.pdf -- C:\ProgramData\dbf1f.pdf -- C:\ProgramData\e325b.pdf -- C:\ProgramData\ff2ac.pdf -- C:\ProgramData\ffadc.pdf - -DLL RUN METHOD: - -- regsvr32.exe [filename] - -AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS: - -- 142.93.218[.]110 port 443 - ldrphound[.]casa - GET /background.png -- 142.93.218[.]110 port 443 - ldrpeso[.]casa - GET /background.png -- 134.122.55[.]164 port 443 - ldrruble[.]casa - GET /background.png - -SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1 OF 2): - -- 4aa11721ca11223bc5dd7d756c7fe5cc9d2d05d7e20f1e0b66c68fd0d59fb172 (initial) -- 4ab7976b062def0c7c1231e2a8d663c8a2e0c14f305b573dbc0b8ff49d10f3ba (persistent) - -HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES: - -- 134.122.101[.]157 port 443 - likofedo[.]club -- 134.122.101[.]157 port 443 - doremifasol[.]online -- 134.122.101[.]157 port 443 - 10hesadety[.]pw -- 134.122.101[.]157 port 443 - bcertyou[.]cyou -- 134.122.101[.]157 port 443 - 85.vumbut[.]best - -SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2 OF 2): - -- 5892f7ad0218286a2e52a5eedbea62c80532a70fa51b2d202b38ad2fcf61cedb (initial) -- aa1c66821155d2d77cdc8e114c2b9cdf5bcc5ea35ecfd7d3681e254882080cca (persistent) - -HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES: - -- 161.35.33[.]38 port 443 - gaagachelo[.]cyou -- 161.35.33[.]38 port 443 - odnovoennbundes[.]cyou -- 161.35.33[.]38 port 443 - obnaprimezert[.]cyou -- 161.35.33[.]38 port 443 - sprbumazna[.]club -- 161.35.33[.]38 port 443 - uragapediculez[.]top - -HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS: - -- port 443 - www.intel.com -- port 443 - support.oracle.com -- port 443 - www.oracle.com -- port 443 - support.apple.com -- port 443 - support.microsoft.com -- port 443 - help.twitter.com \ No newline at end of file +- ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d + +EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILE: + +- C:\ProgramData\b467e.pdf +- C:\ProgramData\cbd30.pdf +- C:\ProgramData\dbf1f.pdf +- C:\ProgramData\e325b.pdf +- C:\ProgramData\ff2ac.pdf +- C:\ProgramData\ffadc.pdf + +DLL RUN METHOD: + +- regsvr32.exe [filename] + +AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS: + +- 142.93.218[.]110 port 443 - ldrphound[.]casa - GET /background.png +- 142.93.218[.]110 port 443 - ldrpeso[.]casa - GET /background.png +- 134.122.55[.]164 port 443 - ldrruble[.]casa - GET /background.png + +SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1 OF 2): + +- 4aa11721ca11223bc5dd7d756c7fe5cc9d2d05d7e20f1e0b66c68fd0d59fb172 (initial) +- 4ab7976b062def0c7c1231e2a8d663c8a2e0c14f305b573dbc0b8ff49d10f3ba (persistent) + +HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES: + +- 134.122.101[.]157 port 443 - likofedo[.]club +- 134.122.101[.]157 port 443 - doremifasol[.]online +- 134.122.101[.]157 port 443 - 10hesadety[.]pw +- 134.122.101[.]157 port 443 - bcertyou[.]cyou +- 134.122.101[.]157 port 443 - 85vumbut[.]best + +SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2 OF 2): + +- 5892f7ad0218286a2e52a5eedbea62c80532a70fa51b2d202b38ad2fcf61cedb (initial) +- aa1c66821155d2d77cdc8e114c2b9cdf5bcc5ea35ecfd7d3681e254882080cca (persistent) + +HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES: + +- 161.35.33[.]38 port 443 - gaagachelo[.]cyou +- 161.35.33[.]38 port 443 - odnovoennbundes[.]cyou +- 161.35.33[.]38 port 443 - obnaprimezert[.]cyou +- 161.35.33[.]38 port 443 - sprbumazna[.]club +- 161.35.33[.]38 port 443 - uragapediculez[.]top + +HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS: + +- port 443 - www.intel.com +- port 443 - support.oracle.com +- port 443 - www.oracle.com +- port 443 - support.apple.com +- port 443 - support.microsoft.com +- port 443 - help.twitter.com