IcedID Being Distributed Through ISO Files

The ASEC analysis team has been introducing various types of malware that were distributed through ISO files. And the team recently discovered the distribution of IcedID (module-type banking malware) through ISO files. There were two methods to distribute the malware. The first one used the same method employed by the Bumblebee malware that was discussed in the previous post. The second method is similar to the first one but had script files and the cmd command added.

The first type used the same process for distribution and execution of IcedID as that of Bumblebee discussed in the previous post. It used the email hijacking technique to snatch normal emails and send replies to users with malicious file attachments (see the figure below). The file is compressed and protected with a password written in the email.

Phishing email

Inside the compressed file is an ISO file. Running the ISO file creates an lnk and a DLL file in the DVD drive, and the malicious DLL is loaded through the lnk file. The DLL is set as hidden, and the process for loading is identical to that of Bumblebee.

  • lnk command
    %windir%\system32\cmd.exe /c start rundll32.exe hertbe.dll,#1
Malicious files created upon running the ISO file

lnk properties

The loaded DLL is IcedID. Similar to Emotet and Dridex, IcedID is a banking malware that performs malicious behaviors by downloading the main module. The DLL’s C2 is as follows:

  • C2
    hxxp://carismorth[.]com/

The second type includes additional files inside the ISO file besides lnk and DLL. Inside the ISO are an lnk file and two folders as shown below.

Files inside the ISO file

Files inside “them” folder

The lnk file runs the worker.cmd file inside “them” folder.

  • lnk command
    C:\them\worker.cmd
lnk properties

The worker.cmd file executed by the lnk file runs the worker.js file existing in the same folder with the argument “l32”.

Internal code of worker.cmd

The worker.js file combines the two strings “l32” (received as an argument) and “rundl” to ultimately load the then.dat file inside the same folder through rundll32.exe.

Internal code of worker.js

The loaded then.dat file is a DLL file (IcedID). Its C2 and packets are shown below. The second type ultimately loads a DLL using the lnk file in the same method of the first type, while going through additional steps.

  • C2
    hxxp://cootembrast[.]com/ 
Packet upon connecting to C2

There is a recent increase in the distribution of malware through ISO files. As attackers are also using a method of sending replies after snatching normal emails, users need to take caution and refrain from opening attachments. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.

[File Detection]
Trojan/Win.Generic.R503676 (2022.07.10.01)
Trojan/Win.IceID.R505751 (2022.07.20.02)
Dropper/ISO.IcedID (2022.07.20.01)
Dropper/ISO.Agent (2022.07.20.02)

[IOC]
354c059e6f6a7d52046855496e9bbcff
88a254de852e3ba553da1af698215973
6474da79ff6331712c6a2c5cbadc9051
ad0436f20e1ecd7fdf9b4d147d8db2da
hxxp://carismorth[.]com/
hxxp://cootembrast[.]com/ 

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments