The ASEC analysis team has been introducing various types of malware that were distributed through ISO files. And the team recently discovered the distribution of IcedID (module-type banking malware) through ISO files. There were two methods to distribute the malware. The first one used the same method employed by the Bumblebee malware that was discussed in the previous post. The second method is similar to the first one but had script files and the cmd command added.
The first type used the same process for distribution and execution of IcedID as that of Bumblebee discussed in the previous post. It used the email hijacking technique to snatch normal emails and send replies to users with malicious file attachments (see the figure below). The file is compressed and protected with a password written in the email.
Inside the compressed file is an ISO file. Running the ISO file creates an lnk and a DLL file in the DVD drive, and the malicious DLL is loaded through the lnk file. The DLL is set as hidden, and the process for loading is identical to that of Bumblebee.
- lnk command
%windir%\system32\cmd.exe /c start rundll32.exe hertbe.dll,#1
The loaded DLL is IcedID. Similar to Emotet and Dridex, IcedID is a banking malware that performs malicious behaviors by downloading the main module. The DLL’s C2 is as follows:
The second type includes additional files inside the ISO file besides lnk and DLL. Inside the ISO are an lnk file and two folders as shown below.
The lnk file runs the worker.cmd file inside “them” folder.
- lnk command
The worker.cmd file executed by the lnk file runs the worker.js file existing in the same folder with the argument “l32”.
The worker.js file combines the two strings “l32” (received as an argument) and “rundl” to ultimately load the then.dat file inside the same folder through rundll32.exe.
The loaded then.dat file is a DLL file (IcedID). Its C2 and packets are shown below. The second type ultimately loads a DLL using the lnk file in the same method of the first type, while going through additional steps.
There is a recent increase in the distribution of malware through ISO files. As attackers are also using a method of sending replies after snatching normal emails, users need to take caution and refrain from opening attachments. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.