More IcedID, (Wed, Oct 5th)

This post was originally published on this site

[This is a guest diary we received from Gunter Der]

While the recommendations for Exchange on Premise, as a workaround for the “ProxyNotShell” vulnerabilities, were updated [1] and Exchange online customers, still relying on basic auth, are targeted by password spray attacks [2], I had another look at recent IcedID campaigns using PNG files to hide their malicious payload. 

As Didier Stevens pointed out in his diary last week, these PNGs are not just decoy images [3]. The initial html page (eg. SHA256 0ab12d65800f3e7e6089fe3c534911f0b42d9175bcf955e937edd39e8bb2c13a) [4] has 2 base64 encoded sections, one is used as background gif to trick users in decrypting the dropped zip, the largest base64 section, with the plain text password provided at the end of the html.
The zip contains an .iso which in its turn contains a 64bit dll, the PNG and a .lnk shortcut gluing it all together:
 

C:WindowsSystem32cmd.exe /c start 73febb25-a241-41d6-8736-4c26ea6932b3.png && start ru^n^d^l^l3^2 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit

The initial access broker behind this trickery is known to hide RC4 ciphered shellcode in PNG files for a few years now so the eventual C2 (in example above triskawilko[.]com) gets detected and picked up quickly [5]. The first network activity, the DNS lookup of C2, however is delayed to evade standard timeout on some sandboxes. 

Much more PNG steganography, shellcode analysis is being covered in the formidable FOR710 Reverse-Engineering Malware: Advanced Code Analysis training.

[1]https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers
https://aka.ms/eomtv2
https://twitter.com/wdormann/status/1576922677675102208
[2]https://techcommunity.microsoft.com/t5/exchange-team-blog/use-authentication-policies-to-fight-password-spray-attacks/ba-p/3643487
[3] https://isc.sans.edu/forums/diary/PNG%20Analysis/29100/
[4] https://bazaar.abuse.ch/sample/0ab12d65800f3e7e6089fe3c534911f0b42d9175bcf955e937edd39e8bb2c13a/
[5] https://www.virustotal.com/gui/url/c3313f03bcd07c86ad3eb18b39d5e4dc7e61d685e2cf35eefc16524a9f112c6f

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.