On Monday 2019-12-23, a wave of malicious spam (malspam) was distributing IcedID malware, also known as Bokbot. Today's diary reviews recent infection activity by this malware.
But first I'll start with a poetic satire of "A Visit from St. Nicholas" by Clement Clark Moore...
Twas the week during Christmas, when all through the net
Windows and Office were run without care
Sysadmins weren't patching as well as they could be,
When what to our mailservers did soon appear?
They slipped past our mail filters as they all came,
With code full of exploits and great obfuscation,
One person was foolish and opened the Word doc,
His laptop infected, the malware spread quickly.
Provided a backdoor throughout all their networks,
The criminals were happy, their eyes shining bright.
Anyway, back to the malware... As I already mentioned, today's diary reviews recent infection activity by IcedID.
I don't have a copy of the malspam. However, an anonymous person submitted URLs that returned the associated Word docs to URLhaus. If you want to search for IcedID activity, search for items tagged as IcedID as shown here.
The Word documents
I received different Word docs from the same links when I tested them in my lab environment. The first Word document had a template that was mostly red (maybe reddish-orange). My second sample had a different template that was mostly blue.
The infection traffic
Infection traffic was typical for IcedID activity. In previous IcedID infections, I've seen Trickbot, such as in this previous diary from March 2019. However, no Trickbot was noted during the two infections I ran in my lab on 2019-12-23.
Forensics on an infected Windows host
My infected Windows hosts showed the same type of artifacts and behavior associated with IcedID in recent months. See the images below for examples of malware and artifacts from my 1st infection.
Indicators of Compromise (IoCs)
Infection traffic, 1st run:
Infection traffic, 2nd run:
Pcaps and malware samples used for this diary can be found here.
Dec 24th 2019
|Thread locked Subscribe||
Dec 24th 2019
2 years ago