2020-08-20 (Thursday) - TA551 (Shathak) word docs push IcedID

2020-08-20 (THURSDAY) - TA551 (SHATHAK) WORD DOCUMENTS WITH MACROS PUSHING ICEDID MALWARE:

CHAIN OF EVENTS:

malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE

22 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:

- e74344da011c0b40910c94bfe04b0cab9dca0727f4ff8a712b9e67090e888538  command 08.20.2020.doc
- 97cf98ed3f769614f76708d74468f8dd97d721b77fdec71fe0ffbbd2059881a4  decree 08.20.20.doc
- a9f1a2116654c86055f76b9414b007dffa7e481ecd4b4599d97fc7c5277e0406  decree.08.20.doc
- f790841bb10f01d9b62d46599f74951ffc501625f7bc81887712866008594e91  decree.08.20.doc
- f43bd677fc0f91605c528b974eb75c6cbbae6e793e43ac37e1e2c23f05cdd16e  enjoin.08.20.doc
- 3490e9b6d5075d72d7932f6615e0d57383267483f7233f8018e525c47247fb22  facts 08.20.doc
- 47162876ed6ea646b1b3b52d3d27c5d740b6d29550fa92a582193145cbc1dc35  figures,08.20.doc
- b9427384ef08b4b46d79b6f69da55f81f1bc1504645231f1a235989b0a7f80e6  file,08.20.20.doc
- dec178d7b649b0f381a2b6d8816e68324c44b3a62b85f3671bc1866226dda472  input_08.20.doc
- 9887706fec807a848caec12265e7f0a062d00394ec1b6b564765719c8aad618d  inquiry_08.20.20.doc
- c4f8453b7157f8ab0a33f452ef5238631dee8ea2cf06cb32b49f2fab0f1afce5  instruct,08.20.doc
- edda2ccdedf90389a9980fcf05990cb264df8ed6c15ccc2cbdd8ba66e0ff0cfe  instrument indenture-08.20.doc
- e5d2751a8b5b5ced34eb583486e673e7ac0fdb6952cf31e7a4ba0324326359bd  legal agreement,08.20.20.doc
- 79a4373e8aef7d5db5faeb02ed059e7514ff4581cb40c128cdcccae88651c49c  ordain-08.20.doc
- 9f298534ebf0aa1da5bb369152a8e70576f45eae0ece3abbf7e8edfb32e57ea4  particulars-08.20.doc
- f555a28e9d8d82d1f3682921800e8e04e99c00b7a319e6866b01f7a99cd74677  report 08.20.2020.doc
- 1bbd4db893f0ae6c68368f5c0c2f768c1ae4b787b23cd681f3fdf49ed430f00a  report 08.20.2020.doc
- f6babfa9ec695cabf642941c0a80ecfede354553059cecc50fc4a2c8766edd43  report,08.20.2020.doc
- f14e6107da54f9728252f7461313ef49f2708ab051c426c87d0618b6d93ad510  require 08.20.doc
- 1e827bcaa3190b6f7ab092ce6b3160244d182507dd99a4adddc0e93f415ea79c  rule_08.20.2020.doc
- e1a647d2d801b1a19cc832113af60a4877d75c1f1156c33834722740397852c2  specifics_08.20.doc
- 3be7c48f4970f078ef1c0fd8b4aba3424f3971da175f127768c1b4d63e72ff3f  statistics 08.20.doc

AT LEAST 12 DOMAINS HOSTING THE INSTALLER DLL:

- fbz7fl.com - 81.29.134.87
- fk1s50.com - 185.103.109.79
- g7b26ut.com - 185.66.12.156
- i47cml.com - 193.187.175.158
- ip7g25w.com - 45.89.67.140
- jve7kr.ciom - 185.254.190.68
- kx8sp52.com - 185.118.164.101
- pob8bvm.com - 194.31.236.119
- sh1ywp.com - 83.220.172.64
- twu5vut.com - 185.239.51.224
- w4l8qww.com - 92.63.104.151
- xb5k6j.com - 45.89.66.41

GET REQUESTS FOR THE INSTALLER DLL:

- GET /pudiv/tedy.php?l=gike1.cab
- GET /pudiv/tedy.php?l=gike2.cab
- GET /pudiv/tedy.php?l=gike3.cab
- GET /pudiv/tedy.php?l=gike4.cab
- GET /pudiv/tedy.php?l=gike5.cab
- GET /pudiv/tedy.php?l=gike6.cab
- GET /pudiv/tedy.php?l=gike7.cab
- GET /pudiv/tedy.php?l=gike8.cab
- GET /pudiv/tedy.php?l=gike9.cab
- GET /pudiv/tedy.php?l=gike10.cab
- GET /pudiv/tedy.php?l=gike11.cab
- GET /pudiv/tedy.php?l=gike12.cab
- GET /pudiv/tedy.php?l=gike13.cab
- GET /pudiv/tedy.php?l=gike14.cab
- GET /pudiv/tedy.php?l=gike15.cab
- GET /pudiv/tedy.php?l=gike16.cab
- GET /pudiv/tedy.php?l=gike17.cab
- GET /pudiv/tedy.php?l=gike18.cab

21 EXAMPLES OF SHA256 HASHES FOR DLL FILES USED TO INSTALL ICEDID:

- 17aa717873788437012009c059a2cb136f06130df588af7d033edb82868aceae
- 19907027b3b936670924854feb2ce2112972b39df8120d4cb9ae904e057b6198
- 35a71504ac2806d3ac17dfed1c580ab87b22eb09d0f33afd7400f77bae78b383
- 374af7e0b9d04ea1845d7c6d1ae7b52d779ab5119762b5d47b3b47246fbb0f75
- 3df3817c82c7e44d164c0ac43479a5a280ab9cc5cd3c2da0a2aca7a4f9ea95bf
- 59dfbaef9937ff381434d144bff16203cbbe4cfcdfb79818379404c6d42f55ca
- 80429d54c4ff5edd8ebb2bce803ca4a434fd4ef81aaf8fd2571d3d7cb9b83fc9
- 81d0d0a1abda054dfc3335f21f7f2ff4555bd3a6038cf13a75654a6f8d7da2d2
- 84a2d2173f8215e239bbdc06e12133f82d716c06d550f6f34d0e5f0458048890
- 8a02a9b726dc1db8ee848997b3735127c5e96b460219e4b5f8aadcc86f37f5c6
- 94a48ea009b39ec30571256ae4fafe84a83ebde2801d24207263f5e80b41ae1e
- a7b4996bb263d8eb7afc9e6ca993173a13820896c9f567ca2b9527013d801b57
- c3e582481a04368409765dd76e12358e5ef45fd0d837131059ef929f8635fc7e
- cbe868b22594dd7f9905d12c00a8382fcd5431408f559f0f14e99a8be27f6349
- d25debe1cf9e028b386615db4db0a3de21659fccf3cb72248376821d537a73b5
- da0f6cc9136adf5a0dc1f646e953ac9f20adc59c782c5848e9a3f843c8dc3dda
- dc9bdb08cf24f8bce76703c4e6ec576e12147d0555d149a96bef6cff67c4e58f
- e5f569e7b0e5c5b1db07e5fc292a8889e5043b05d8dac636aeb378e3552d35a4
- eb129e9a89c3f74eaaadf5b61d25aff57654a5bfc93e86dd3f1894129ee62bd4
- fa1c0fee3032048bba15c2d1c34dde82815df631a900d8a88c3a2adbb67645fc
- fd4c2da96e2c4968773ac916309a99eea142af824e5c12b1a801888b0aa24fb5

LOCATION OF THE INSTALLER DLL FILES:

- C:\Users\[username]\AppData\Local\Temp\temp.tmp
- C:\[same directory the Word doc is located]\f1a30027.jpg
- C:\[same directory the Word doc is located]\f8015423.jpg
- C:\[same directory the Word doc is located]\b0635dfb.jpg
- C:\[same directory the Word doc is located]\b72e0f4c.jpg
- C:\[same directory the Word doc is located]\ce81b018.jpg

RUN METHOD FOR INSTALLER DLL:

- regsvr32.exe [filename]

AT LEAST 5 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:

- 104.131.13.31 port 443 - ldrfewa.casa - GET /background.png
- 104.131.13.31 port 443 - ldrnuri.casa - GET /background.png
- 159.203.35.240 port 443 - gugafirst.top - GET /background.png
- 159.203.35.240 port 443 - gugasecond.cyou - GET /background.png
- 159.203.35.240 port 443 - ldrfohill.casa - GET /background.png

NOTE: I did not see the IcedID EXE today....

HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL EXE:

- port 443 - support.apple.com
- port 443 - support.microsoft.com
- port 443 - support.oracle.com
- port 443 - www.intel.com