{"id":6400,"date":"2021-06-09T13:05:40","date_gmt":"2021-06-09T20:05:40","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6400"},"modified":"2024-08-07T12:21:42","modified_gmt":"2024-08-07T19:21:42","slug":"shathak-pushes-icedid-banking-trojan","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/shathak-pushes-icedid-banking-trojan\/","title":{"rendered":"Shathak Pushes IcedID Banking Trojan"},"content":{"rendered":"

Author: James Barnett<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

On 2 June, security researcher Brad Duncan reported on a malspam campaign from the threat actor known as Shathak (a.k.a. TA551) distributing the IcedID banking trojan.1<\/sup><\/p>\n

We previously reported on an IcedID campaign in November 2020 in which Shathak distributed the malware via Japanese language malspam.2<\/sup> We also published on a campaign in July 2020 wherein threat actors used a Valak downloader to deliver IcedID.3<\/sup>\u00a0<\/strong><\/p>\n

Customer Impact<\/h3>\n

IcedID is a banking trojan that uses web injection and redirection attacks to steal banking credentials, credit cards, and other financial information from victims who believe they are entering their information into a secure website.\u00a0<\/strong><\/p>\n

Campaign Analysis<\/h3>\n

The emails in this campaign followed Shathak\u2019s standard operating procedure of distributing malicious Microsoft Word documents within password-protected ZIP file attachments. The report did not provide examples of the emails themselves, but based on previous campaigns, Shathak likely used falsified replies as subject lines and included a short lure in the body text that prompted the recipient to open the attached ZIP file using a numerical password included in the email.<\/p>\n

Attack Chain<\/h3>\n

When the victim extracts the ZIP archive using the included password and opens the Word document inside, the document displays the following message:
\nThis document created in a previous version of Microsoft Office Word. To view or edit this document, please click \u201cEnable editing\u201d button on the top bar, and then click \u201cEnable content.\u201d<\/p>\n

Once the victim does so, a malicious macro drops a malicious Microsoft HTML Application (HTA) and executes it via Windows Management Instruction (WMI). The HTA file then attempts to download and execute the IcedID installer dynamic-link library (DLL) from one of several domains controlled by the attacker. Inthis campaign, the malware saved the installer DLLs with a .JPG file extension to obfuscate their intended purpose. <\/p>\n

When the IcedID installer DLL executes, it downloads an additional file from a remote server and uses it to build and execute a persistent version of the IcedID DLL at C:\\Users\\[username]\\AppData\\Local\\[username]\\Tetoomdu64.dll. The persistent IcedID DLL then monitors the victim\u2019s system and uses web injection techniques to redirect the victim to one of IcedID\u2019s proxy servers whenever they try to visit a website that may contain credentials valuable to the attacker (e.g. financial institutions).<\/p>\n

When the victim is redirected to the IcedID proxy server, it will show them a page that appears identical to the legitimate login page of the website they were attempting to visit. However, if the victim enters their login details on this page, the proxy server will send their credentials to the attacker for later abuse before forwarding them to the actual website the victim intended to visit. The victim will then be logged into the legitimate version of the website, leaving them with no obvious indication that their credentials have just been stolen.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Infoblox recommends the following actions to reduce the risk of this type of infection:<\/p>\n