2020-07-30 (Thursday) - TA551 (Shathak) Word docs push IcedID (Bokbot)

1. 2020-07-30 (THURSDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)
2.  
3. REFERENCE:
4.  
5. - https://twitter.com/malware_traffic/status/1288904813758099457
6.  
7. NOTES:
8.  
9. - More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/
10.  
11. - Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing only IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.
12.  
13. - Today, the TA551 (Shathak) campaign in some cases used a copy of certutil.exe to retrieve the IcedID installer DLL, but in others examples it did not use certutil.exe.
14.  
15. - All the files below have been submitted to bazaar.abuse.ch
16.  
17. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
18.  
19. 20 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:
20.  
21. - 092381d01ee8ceafc88163dbe0e4255f452d68a69c26bf4bf0c05b9d41303a75 intelligence_07.30.2020.doc
22. - 09ad2e05ee1b590996b1d57461f3a991c763cc676afa8ae8b6fc02586b935407 files,07.20.doc
23. - 15731a6037944510f53bd37eb5a8c76d762274397d7937b81c6386b8c1a81a2e inquiry,07.30.2020.doc
24. - 254f651790d8e84d7d8b557d7fb064aca16b467af8a29d7906d01cfc3f3948c6 rule-07.30.2020.doc
25. - 28d1b2b7dd8b8ee8c3e720236b123ea1688af0e8ff048c9662eafc5077be836b inquiry-07.20.doc
26. - 4e8ce72ab4a9be22ab3d76e278d17259f1250c15bdf3ab15b7416c18604ae350 order,07.30.2020.doc
27. - 59d272ffeef2cae40dbe9fd24800fbf552cdbb9f6b3bec9b02e6ab77afd94aac dictate_07.30.2020.doc
28. - 6090c9e520211dca35fd774b94f127ba396727e25f00eafb86bfff5979bfa22a commerce ,07.20.doc
29. - 7c46a8634e0ed291edc1e135d27c042383a9560df45bc4470d30719cb533ba47 ordain_07.20.doc
30. - 7f14bd644f7cb4db1ca63ad27918b5752ad90e53036746e82d9c5ca0724db475 tell_07.20.doc
31. - 884316f52ec1b6b276e585a01b3099260ffdd1ce4fe09fdb7ef252264e87caa6 tell-07.20.doc
32. - 949e2fec1b1290bd78e9bb35c25d6c634b5a8f401bb7d13957fba17286726c2b report.07.20.doc
33. - bd96cc2b200f1b2664339fa50cfa247ea94cee13dc2e02127066950568dc21f8 intelligence.07.20.doc
34. - beab9687193a17c2152dbcfccd635e7e61e877862d7bb4c81afc4e56744e0f17 particulars_07.20.doc
35. - c2525050626af56480b27b7208ffbab22a4865e252c618730ff4360f18a33d0c commerce .07.30.2020.doc
36. - cccc1b9dc6c97b84b89efa414034da29b8ff1a1cd9921cb33797e6a25a2891c4 legal agreement-07.30.2020.doc
37. - d66972dbf6c591bc6ee282518a953bbbe2e5ace24359731c01b53e28df8b3577 instruct_07.20.doc
38. - ddd986b55edfcc2a7b680ecf9ffaa9b3a0548bf8eb288d670478aa7415bce522 docs,07.20.doc
39. - ded5eb3d65a25bc62e7953174a219605e61a72f03135a48f6153b2aa5098c2f9 order_07.20.doc
40. - ec03288989e8458f0daaee296ce994ab525642f21e6927e192905f3ffe571089 particulars_07.30.2020.doc
41.  
42. AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:
43.  
44. - 0eed1ejih[.]com - 2.57.184[.]54
45. - 1iif89rvl[.]com - 81.29.134[.]57
46. - 6gsdlmpym[.]com - 81.29.134[.]37
47. - 6kd743o1w[.]com - 185.144.29[.]2
48. - 8wsed5qkw[.]com - 95.181.157[.]197
49. - bofzvaxf6[.]com - 95.181.157[.]198
50. - jfmmusox0[.]com - 81.29.134[.]49
51. - py072wgiw[.]com - 185.144.29[.]3
52. - ybvoc9qoo[.]com - 95.181.157[.]195
53. - z7rflq080[.]com - 95.181.157[.]199
54.  
55. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
56.  
57. - GET /bolb/jaent.php?l=liut1.cab
58. - GET /bolb/jaent.php?l=liut2.cab
59. - GET /bolb/jaent.php?l=liut3.cab
60. - GET /bolb/jaent.php?l=liut4.cab
61. - GET /bolb/jaent.php?l=liut5.cab
62. - GET /bolb/jaent.php?l=liut6.cab
63. - GET /bolb/jaent.php?l=liut7.cab
64. - GET /bolb/jaent.php?l=liut8.cab
65. - GET /bolb/jaent.php?l=liut9.cab
66. - GET /bolb/jaent.php?l=liut10.cab
67. - GET /bolb/jaent.php?l=liut11.cab
68. - GET /bolb/jaent.php?l=liut12.cab
69. - GET /bolb/jaent.php?l=liut13.cab
70. - GET /bolb/jaent.php?l=liut14.cab
71. - GET /bolb/jaent.php?l=liut15.cab
72. - GET /bolb/jaent.php?l=liut16.cab
73. - GET /bolb/jaent.php?l=liut17.cab
74. - GET /bolb/jaent.php?l=liut18.cab
75.  
76. 27 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:
77.  
78. - 08e1433330dd63f0f23cfcbd0caa4ab6ad7e36c408a898af2f17f00a2356e20c
79. - 0bac073dd46fd8ac5c68c735f7d8ddecd264107e5163a23ce4f0d1d64823c709
80. - 10541da23f1a6299fe00f9657b9dad7dae53c3091f39f1cfec03f30a93286168
81. - 1f5672777a723b52064ff3876f7d582c524483a5205eb509a9aa6c5566fd4f71
82. - 202e93ce45541da3971aebc5ec5027209ab9ce01cfd65e229ecf90d396b8201d
83. - 249604488f5145ceee176cb5345c7d3c10b28f8645b7e7b7ad43fff90e3e1141
84. - 26814ac4a62e9a9a3fe1059ba49709b161085cc3a1cbbdf5ee20beb742908083
85. - 27e9ab78945ccd312212192c0f7cd39a33876b0743f93abbcbd8b5086753b347
86. - 45000434dad8947c25761ea8e2257458baa10424402b7d48472fac5b1dc5aa47
87. - 54b5a9d4964628097caa5389be308d3306ad5feb01144cf13af0892799da41cb
88. - 5e5d856ef6917165ca56dc2e356a25f7b86e902feb29d3570d84b2bd0b7d1529
89. - 634de4133f7682703e21d4f98fdf1f5d761edf17882a8b37622c95d0182e582f
90. - 7ae35c2610961499b83a35df80b4c9654d10a97fbd5020345f49497941d755a8
91. - 7d97f43bdac6a0420b701f622c164af9f6aed64cb5f3cdbdc3bc44088b0ac2d9
92. - 85fbffd801a6b050745336a42637077ddb544e3039905d9b93f78df310af6e02
93. - 97c5b7288083a6a65513aff8ef98a3b53c7509ef7eaf8b5f220ff908e4fe92bb
94. - 9e7743f112f712bdd9d1658079701138fdb195d73957b894acf5017f63feac94
95. - b3a9d5d233d155daf54e2ef3e7694e3e1659c0465c34fe0043007fb6983cb32d
96. - d872601623df5c1f8f378fb962df80d03922392ec2b3494437c6e347c89c3d14
97. - da4e1bb6c651a569ee44eb2d2a37eaae7035a46d8281592b77666f0819fcf1c8
98. - e0a4280ea1f844aa28c808c5931e3e245730b70d3c8d6ff8d5c13eaaa7115980
99. - e2527c3c1c50b1a4b1c94066d963a0c93b19f28965fc0ad5d53b734b10bf37ed
100. - e7d1ee172b95df20dc90f3100a5b06fb150408b76e92f159fd1e8e69c3c61035
101. - f291bed7451bf2485250b3ebeed132e7f56712d856b316b6fb8f88a4a205d0a3
102. - fdc1a3d88eca9afa817aaf00818f29ea8e80fc1b3a71f46d5231572fb2f69b26
103. - ff7222b433477e4794dbfd8b0ad34dc4e6397c7673fe431c6710c6e77a69b78c
104. - ff87844648c0e1da40aea7bb418bb8b2011f5c55f7a6c3d43228e3c0cf5c33b8
105.  
106. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
107.  
108. TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:
109.  
110. - C:\ProgramData\1.tmp
111. - C:\Users\[username]\AppData\Local\Temp\main.theme
112.  
113. TRAFFIC CAUSED BY ICEDID INSTALLER DLL:
114.  
115. - port 443 - www.intel.com
116. - port 443 - help.twitter.com
117. - port 443 - support.oracle.com
118. - port 443 - www.oracle.com
119. - port 443 - support.apple.com
120. - port 443 - support.microsoft.com
121.  
122. - 194.5.249[.]199 port 443 - ldrgopak[.]casa
123. - 194.5.249[.]199 port 443 - loadbudapest[.]casa