2020-09-16 (Wednesday) TA551 (Shathak) Word docs pushing IcedID

1. 2020-09-16 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
2.  
3. CHAIN OF EVENTS:
4.  
5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
6.  
7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
8.  
9. - 9af952156e641712cc7072ff0bf85f4d2b5fad5c322c590e8b951974ce946d42 adjure,09.16.2020.doc
10. - 93c7c35535a1cd749025f7760096e5fce3e0b1502b06c636b055479f3f531ce2 adjure_09.16.2020.doc
11. - e61c99806aaa9d32d527cb346ee4ea8175e51cb07a2f8e53aee905d05e1f6190 deed contract-09.20.doc
12. - e24db3e7f085b87a1ef337da7501af54af171c7005f0c7da13af8a08ff4bafbf details-09.20.doc
13. - 57d08413af6d9fc3664764e014167fd106ced8015c669fe27a1eadd6077529b4 documents-09.20.doc
14. - 1b7fc60bf597b5384b24dd340a1cee14082a1ce62a1a3e583affd343b55e7214 file 09.16.20.doc
15. - 3b460c06f60ddd9abd026267b6f4279ead330d3902ce13cb13b9b44e109156ad file_09.16.2020.doc
16. - 1140ced6f1344c92140f61c482f1af02cb615837389e1ef7bcdd86db3c050365 inquiry,09.20.doc
17. - f594fad1f819e0d9547fa5a391a6b79f9237b1748a06138c3ac205f5cfc05d4f intelligence,09.16.2020.doc
18. - 8d3795163d8c5ea1d6578410692831e833dbfcd3fb9791fef4069c8fbe33de4d legal agreement-09.16.2020.doc
19. - 4bf24278b4b75d6c7e9d1f143735ac3518ed659c9dcc3f7aa89d15304af7072e legislate 09.16.20.doc
20. - 98f503a60b3b2638b4cb36ab7f320a311d990fe962c94b17ed2a094ee47b3845 ordain,09.20.doc
21. - f095c392c2bb991383d489af3e4621cf03fc349fa3cfd80f4c5fb81e75242670 question 09.16.2020.doc
22. - 917011fbe73effd994c7dd28db0b6d722a3136b97ebfdc964c0c72e7b244b65e question,09.20.doc
23. - 046f37a5e93f87189cd7324585c7c2bbb1317de92fa8919d831fcbc522d491a6 question.09.20.doc
24. - c4ee9a8ea3c86b40fac69b02540d38e1a0ea6b12efbe3aff98d6e5b90a2befcb report-09.16.2020.doc
25. - 6426e2de29bcbe2f7d9d6588eee823b043b7ca524ed6a87f6484cd36d7c74869 require 09.16.2020.doc
26. - 672590acdfe5c2c398d52433e1100edc07e866a9004e80a10a98da0e193983c0 require-09.16.2020.doc
27. - 5c21e983912e6cdcfd3f588de112fbe36eb005d76242b099b23e74abe1506ddd specifics 09.20.doc
28. - a7343e22ce3a595766cd600db45438efa674d8168ef0bba26bd5560b909c5709 tell 09.20.doc
29.  
30. AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL:
31.  
32. - ab94z0[.]com 193.201.126[.]25
33. - bl3cavy[.]com 185.98.87[.]54
34. - c1c2l0i[.]com - 93.189.41[.]178
35. - cztixxy[.]com 83.166.243[.]201
36. - fffufk[.]com - 195.93.173[.]116
37. - safj3ng[.]com 109.248.250[.]2
38. - swf1fas[.]com 85.117.233[.]251
39. - tq9kma[.]com 95.213.224[.]9
40. - vdnu32a[.]com 194.36.189[.]133
41. - vsav42a[.]com 194.61.2[.]43
42.  
43. URLS FOR ICEDID DLL:
44.  
45. - GET /vakos/nomyr.php?l=fyfy1.cab
46. - GET /vakos/nomyr.php?l=fyfy2.cab
47. - GET /vakos/nomyr.php?l=fyfy3.cab
48. - GET /vakos/nomyr.php?l=fyfy4.cab
49. - GET /vakos/nomyr.php?l=fyfy5.cab
50. - GET /vakos/nomyr.php?l=fyfy6.cab
51. - GET /vakos/nomyr.php?l=fyfy7.cab
52. - GET /vakos/nomyr.php?l=fyfy8.cab
53. - GET /vakos/nomyr.php?l=fyfy9.cab
54. - GET /vakos/nomyr.php?l=fyfy10.cab
55. - GET /vakos/nomyr.php?l=fyfy11.cab
56. - GET /vakos/nomyr.php?l=fyfy12.cab
57. - GET /vakos/nomyr.php?l=fyfy13.cab
58. - GET /vakos/nomyr.php?l=fyfy14.cab
59. - GET /vakos/nomyr.php?l=fyfy15.cab
60. - GET /vakos/nomyr.php?l=fyfy16.cab
61. - GET /vakos/nomyr.php?l=fyfy17.cab
62. - GET /vakos/nomyr.php?l=fyfy18.cab
63.  
64. 10 EXAMPLES OF ICEDID INSTALLER DLLS:
65.  
66. - 02026f323eea8b841f056a23b376cc58ca54956dd3c8216f87564d71c6736e06
67. - 0d3a18ae0018427bbf053669e07bcc3cd9bc248b04a6dd0c082694d20818b56c
68. - 24e4d25395afc41a3e9b860ae7fca1485ecbd3e432387a62c893412978f9a525
69. - 866aa2c9699ab1427f23c3754e7b94358366d2c55e2ff512f26f16a22fa443b8
70. - 9d075b18bd7c1a71d298cbbac829ff9753f43caaf9e06681206adc78f45b68fa
71. - c14f7ece9b6c84d7e81839663fdfcb3cd3eacd06503f02e1cd4ccd9bb90019ca
72. - cae8b4d8837f9c91e253a2f12cc797247a3d92a81e2219eb291cf294c39653ee
73. - d41dc7c994809fa657b8217c6be5ff4f42a7daa61a14f5e711ce4d822bdeba70
74. - dba67ec7a7ce016c238893260e21737a6738f611e3bb7cef80d2bb47ddd7d140
75. - f90a1824f690bcd5c333bd78de0164174fffb12160c26699d6cd17cc10b71a49
76.  
77. EXAMPLES OF LOCATION for THE INSTALLER DLL FILES:
78.  
79. - C:\Users\[username]\Documents\test.pdf
80. - C:\[same location as Word document]\test.pdf
81.  
82. DLL RUN METHOD:
83.  
84. - regsvr32.exe [filename]
85.  
86. AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
87.  
88. - 134.122.55[.]164 port 443 - loadro3[.]casa - GET /background.png
89. - 134.122.55[.]164 port 443 - loadwe4[.]casa - GET /background.png
90.  
91. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
92.  
93. - badf5b6c2231f8b56f60d0e71cdadf4c0938626d39230776a6d5adb1f4c352f1 (initial)
94. - 55b811ff83a8f8b574694151ba2f1d6e9b1b3902061e8973b24f1af32a90ddca (persistent)
95.  
96. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE 2 ICEDID EXE FILES:
97.  
98. - 79.141.171[.]183 port 443 - allpikoloserdzwe[.]cyou
99. - 79.141.171[.]183 port 443 - sipmptomsledy[.]top
100. - 79.141.171[.]183 port 443 - obnaprimezert[.]cyou
101. - 79.141.171[.]183 port 443 - sprbumazna[.]club
102. - 79.141.171[.]183 port 443 - uragapediculez[.]top
103.  
104. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
105.  
106. - port 443 - www.intel.com
107. - port 443 - support.oracle.com
108. - port 443 - www.oracle.com
109. - port 443 - support.apple.com
110. - port 443 - support.microsoft.com
111. - port 443 - help.twitter.com