2020-09-21 (Monday) TA551 (Shathak) Word docs pushing IcedID

1. 2020-09-21 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
2.  
3. CHAIN OF EVENTS:
4.  
5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
6.  
7. 12 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
8.  
9. - 9f240737183f8b52fc33daa475e11a3fc0655538728e56edc71ff49626549ada certificate 09.20.doc
10. - 2d2f0a3e263c64c98457a3d4bce8a22d53d1c7f9c2326dcdd1578cb5037587fe commerce -09.21.2020.doc
11. - 3e12c287478608aafc8ef1abeba25c526863e9e47d78d314cfc20077d73ae653 commerce ,09.20.doc
12. - 562956706eb0b658fcad5f23d11c4a8670dda18666b04bf7127f9b1ac1be8907 docs.09.21.20.doc
13. - 2925f852e2fc04c4849b5e47306373837305d9bf003e79ceb08762b505759259 document,09.20.doc
14. - 0f9ae46bd910f799fd11c5cc46f7c3ffbc0a2f7280cc3fe867b763a5f5f64258 inquiry_09.20.doc
15. - c37dd0bbd07f3acedf516c07c3fdc023b0ba5082c3959ddda9498fa6c52df09f instrument_indenture,09.20.doc
16. - ad33adc035c689f4ab8f1d3cd49027b9ef804bb60c9a44bff2be585c02e794b3 legal agreement 09.21.2020.doc
17. - 749140091ae47c29826a9f92a19381e060eff987299c2eb521f9ce833b2954f2 material_09.20.doc
18. - c388475c08bcac2336e8b1efdf524d12a6194818e3c8194516b953fba654ac8f prescribe 09.20.doc
19. - 8e9e0af52ff82cdc71e27bf27b157ef3adc00d3078a949d4deeb16a5e4225874 require 09.21.2020.doc
20. - c3da3134de3b14d168e4e0f29c7c893ff3920b9d5ed6e566e0e15c4348ad9659 statistics,09.20.doc
21.  
22. AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL:
23.  
24. - csxciyt[.]com - 83.166.214[.]17
25. - dsb5vd[.]com - 185.159.129[.]44
26. - f9pv81[.]com - 185.219.40[.]246
27. - hq1m7wt[.]com - 37.230.117[.]49
28. - ldzcb4[.]com - 185.135.81[.]234
29. - lkcij4k[.]com - 185.87.51[.]204
30. - k21ddmo[.]com - 212.109.221[.]95
31. - mwd3sq[.]com - 194.31.237[.]38
32. - q9d2ya[.]com - 80.87.197[.]19
33. - rb16q6a[.]com - 89.223.100[.]173
34.  
35. URLS FOR ICEDID DLL:
36.  
37. - GET /foqa/kucow.php?l=kofo1.cab
38. - GET /foqa/kucow.php?l=kofo2.cab
39. - GET /foqa/kucow.php?l=kofo3.cab
40. - GET /foqa/kucow.php?l=kofo4.cab
41. - GET /foqa/kucow.php?l=kofo5.cab
42. - GET /foqa/kucow.php?l=kofo6.cab
43. - GET /foqa/kucow.php?l=kofo7.cab
44. - GET /foqa/kucow.php?l=kofo8.cab
45. - GET /foqa/kucow.php?l=kofo9.cab
46. - GET /foqa/kucow.php?l=kofo10.cab
47. - GET /foqa/kucow.php?l=kofo11.cab
48. - GET /foqa/kucow.php?l=kofo12.cab
49. - GET /foqa/kucow.php?l=kofo13.cab
50. - GET /foqa/kucow.php?l=kofo14.cab
51. - GET /foqa/kucow.php?l=kofo15.cab
52. - GET /foqa/kucow.php?l=kofo16.cab
53. - GET /foqa/kucow.php?l=kofo17.cab
54. - GET /foqa/kucow.php?l=kofo18.cab
55.  
56. 12 EXAMPLES OF ICEDID INSTALLER DLLS:
57.  
58. - 1d916a05e07aa61bb84504cd7cf70e920549dde98a3eafebfde3e13d3137df24
59. - 2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236
60. - 30ac7415f1cdd5984cdfe15961eb46211c444786c453cfe8525dacd7c76c28b6
61. - 705e14735da74b107357a676c15b07c0f0c86888b8f98ba86e1029ff4e4858df
62. - 7c94b78d14c95b438b0af4eb93596c2f7a64d8a9a1b2c9b300f5d4c43661a9b9
63. - 89e881e0beb8adc93f3b45e835e68355e855d951a44d18153b7f042989b353e0
64. - 8efa3aea51c2da764f118b7808fa096c3e3a841b676b1e046cdd6ad50cf8af3d
65. - ad91cc0f5f38735a2a88df59382b93919a0f3112cae592f4a0477e20ef414469
66. - c24e8099dffe2d9ddebc10b44b6d992043a7a88f0c24bdd7b462e750813dd92e
67. - c53e0f2ba4d0ff61ed41d31cb5671c96ba8a98afbf32f1e76cd88e5061c20370
68. - d4daab6448cab62e16091169f451e9b455a3607df6ceabccdd0610473d419a6c
69. - ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d
70.  
71. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILE:
72.  
73. - C:\ProgramData\b467e.pdf
74. - C:\ProgramData\cbd30.pdf
75. - C:\ProgramData\dbf1f.pdf
76. - C:\ProgramData\e325b.pdf
77. - C:\ProgramData\ff2ac.pdf
78. - C:\ProgramData\ffadc.pdf
79.  
80. DLL RUN METHOD:
81.  
82. - regsvr32.exe [filename]
83.  
84. AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
85.  
86. - 142.93.218[.]110 port 443 - ldrphound[.]casa - GET /background.png
87. - 142.93.218[.]110 port 443 - ldrpeso[.]casa - GET /background.png
88. - 134.122.55[.]164 port 443 - ldrruble[.]casa - GET /background.png
89.  
90. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1 OF 2):
91.  
92. - 4aa11721ca11223bc5dd7d756c7fe5cc9d2d05d7e20f1e0b66c68fd0d59fb172 (initial)
93. - 4ab7976b062def0c7c1231e2a8d663c8a2e0c14f305b573dbc0b8ff49d10f3ba (persistent)
94.  
95. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
96.  
97. - 134.122.101[.]157 port 443 - likofedo[.]club
98. - 134.122.101[.]157 port 443 - doremifasol[.]online
99. - 134.122.101[.]157 port 443 - 10hesadety[.]pw
100. - 134.122.101[.]157 port 443 - bcertyou[.]cyou
101. - 134.122.101[.]157 port 443 - 85.vumbut[.]best
102.  
103. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2 OF 2):
104.  
105. - 5892f7ad0218286a2e52a5eedbea62c80532a70fa51b2d202b38ad2fcf61cedb (initial)
106. - aa1c66821155d2d77cdc8e114c2b9cdf5bcc5ea35ecfd7d3681e254882080cca (persistent)
107.  
108. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
109.  
110. - 161.35.33[.]38 port 443 - gaagachelo[.]cyou
111. - 161.35.33[.]38 port 443 - odnovoennbundes[.]cyou
112. - 161.35.33[.]38 port 443 - obnaprimezert[.]cyou
113. - 161.35.33[.]38 port 443 - sprbumazna[.]club
114. - 161.35.33[.]38 port 443 - uragapediculez[.]top
115.  
116. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
117.  
118. - port 443 - www.intel.com
119. - port 443 - support.oracle.com
120. - port 443 - www.oracle.com
121. - port 443 - support.apple.com
122. - port 443 - support.microsoft.com
123. - port 443 - help.twitter.com