2020-07-28 (Tuesday) - TA551 word docs pushing IcedID (Bokbot)

1. 2020-07-28 (TUESDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)
2.  
3. REFERENCE:
4.  
5. - https://twitter.com/malware_traffic/status/1288207411824795653
6.  
7. NOTES:
8.  
9. - More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/
10.  
11. - Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.
12.  
13. - Today, the TA551 (Shathak) campaign in some cases used cURL to retrieve the IcedID installer DLL, but in others examples it did not use cURL.
14.  
15. - All the files below have been submitted to bazaar.abuse.ch
16.  
17. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
18.  
19. 22 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:
20.  
21. - 039656f8243e9e537900ba68d8423c4d7184ee10c674aa3b27f91036d455f5e7 legal paper_07.20.doc
22. - 0870014bc562398f6abd9f7f696125fe3011514b3f00aee681c26332ed54dbff deed contract 07.28.2020.doc
23. - 12b06f5a1fc87d6dd87d27f757ad8459326ed14cd8281322a286eb2e7746ba3a material-07.28.2020.doc
24. - 218b4a719235caf750e6fda2dc3229e3b8b1fcd356bb8eab9595d5a386b92abe specifics-07.20.doc
25. - 2707b436f988971e1815829709757c8d16deb127754dc28ccbed5e84e108da0a statistics,07.20.doc
26. - 28bb801aa3dd211f9523f177a9ae26f92be2f231d772fced6d3f820336771efe dictate,07.28.2020.doc
27. - 387cdfcf67b4da48cc776beac716cc23f7df5a76070ea7a194cb51289a6b5deb direct.07.20.doc
28. - 4a32f27e6f5a8eabed71deea02e7b1376e51773df279057a186afec4a2383430 rule.07.20.doc
29. - 58d2da9734e0b24325d6ba4a98192c63acc9777030b46b978e02a1de94a9bebe inquiry_07.20.doc
30. - 5d6d0b4724435390f4b7cee53818d57de355e9fce908fc9eba3eb94e827f10d9 inquiry-07.20.doc
31. - 728ebe4d9c2159cde89df4c7d8d231f355140cec8c62f87a1426ea1dbdad785d bid 07.28.20.doc
32. - 8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1 legal paper_07.28.2020.doc
33. - 8e382b34276f8a42ee4c136c43ecbdff7c060c82995cac7bb1bc00413d5bcaae question,07.20.doc
34. - ae04de29b06fa33bd3a227ed6408254fe82916fa057f009ed355a04d86573ace docs-07.20.doc
35. - b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1 document,07.20.doc
36. - ce10adcc2ae1459b5beadb88a408d2825f272006c648d3b353a9ed1d53b7ebb9 documents 07.28.2020.doc
37. - cf2f969423de372c2649bade9139afed3a8fd277a51902f34a3b14567e7467c7 facts_07.20.doc
38. - d20708c9395310f9fcf5d1bc735378e1bddfdbd54efc4ef569edf65a6034657b details_07.28.2020.doc
39. - d77845f1806ae94b32e01192ab65493548fec4cdedc02c0f0c89053eb06aa215 details,07.20.doc
40. - dee2b395158c42d849060164f4132ddef7c3aa33288b0ae6775fd88c746be6ed enjoin-07.20.doc
41. - e7c1916efb3298b5f4537e195aa957664971e19f29561863c3751275006d631d report-07.20.doc
42. - e83da5fd9fb4d4c4a7e48bdaba482d024787a31d4ddf4d3fc5ed4b3fb7554a59 docs_07.28.20.doc
43.  
44. AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:
45.  
46. - 0uso87[.]com - 185.239.51[.]217
47. - 60c4wn[.]com - 185.119.57[.]20
48. - 8cfayv[.]com - 92.63.98[.]49
49. - apc846[.]com - 92.63.98[.]141
50. - c3au3r[.]com - 89.191.227[.]140
51. - qzg0oi[.]com - 92.63.98[.]30
52. - ycjjvl[.]com - 185.239.50[.]118
53. - yt549w[.]com - 89.191.225[.]190
54. - vkr0bt[.]com - 82.146.41[.]87
55. - zgo2ze[.]com - 185.239.50[.]116
56.  
57. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
58.  
59. - GET /bolb/jaent.php?l=liut1.cab
60. - GET /bolb/jaent.php?l=liut2.cab
61. - GET /bolb/jaent.php?l=liut3.cab
62. - GET /bolb/jaent.php?l=liut4.cab
63. - GET /bolb/jaent.php?l=liut5.cab
64. - GET /bolb/jaent.php?l=liut6.cab
65. - GET /bolb/jaent.php?l=liut7.cab
66. - GET /bolb/jaent.php?l=liut8.cab
67. - GET /bolb/jaent.php?l=liut9.cab
68. - GET /bolb/jaent.php?l=liut10.cab
69. - GET /bolb/jaent.php?l=liut11.cab
70. - GET /bolb/jaent.php?l=liut12.cab
71. - GET /bolb/jaent.php?l=liut13.cab
72. - GET /bolb/jaent.php?l=liut14.cab
73. - GET /bolb/jaent.php?l=liut15.cab
74.  
75. 22 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:
76.  
77. - 082c37029ae98221ceb74eda3ff2ca6466dabb49080ce0343a7463699ea451bd
78. - 1226f06efc6ec7de3acc3612bb777846643361a09d226c41bf4ef745c1a34683
79. - 252aae7a965a2fbb2bb5e1d51a1da836fec68bbe7552ad8c5134a3a1ee873af3
80. - 2a40ab63e0da2da3c16ecbee0eab68f7572fb765788f87f9d5c446994bb7cd24
81. - 327e74266c32db3be1a8d97680808dae8eca9ece47e54a0a2dd3d05bd82e0229
82. - 4034c710ef15fc9f912432d31817bd98a100d909c1c97b09dbcf58c8ca6b9d81
83. - 47300c5428551b47d47e40c1e0b96460b2a0d4f5b370db241892381cece57260
84. - 49545ac232947f35d2a9e0e32bd8c106f188b2b4fe412f6a492af3ee928fbd5e
85. - 4cd6ca9e36b8871754a3904018d67cff4ce8b0cf78b07c906a73962e0b26be46
86. - 5b70013de8ecc7b8abeb19d8f79778a9ce359a4c107f109f315633fc67839155
87. - 6a9a322e68a49edc6def678051843ad3fdb2be385de2f9cc924309daaa9e1dd6
88. - 9faabefae513e08168beb59d0c43bb808e0e1a1f5db0ecd84ca38190887228c5
89. - badc69230c3a7ea3c726209c29983b26cd9c0f908d302a754c813f2b03b1608a
90. - bbba62fd27ddca3936108c7a7528fd6f7ffd36de5426f345efd67071752da7cd
91. - c4666a49eebe8c110cd96e5c7a158dab93ce5dcec67a82d148e3e3c691ced74e
92. - d01e2855e1ec680ec524223de287fcdae55b6e5bcf6fd75b29323291ed3f38b9
93. - d69a6522331e3eed2b457dadfaadc15a063c199edd53189068990424fc5a1aa2
94. - d97b51ddc7d0a774fe90eb28f414a01f8d4fc6f4884d48cea952f0fafd634c68
95. - dd9adf52e33980df9ebb82672e2dac9481216b7a1f43c99b4d3fc6b0e0ca1e99
96. - e0d95fb5cdc39ae78f0ec651050285bac678c0314c2de07b34a361a93a6c464e
97. - e9abcecf77c0c55f725bfe2c433428c3223254c94646b68acdda4f3bfd08f37c
98. - f017946be3eebc95390540a4346eb8d35872492e9d0635b04acc3f747930e8a8
99.  
100. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
101.  
102. TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:
103.  
104. - C:\ProgramData\1.tmp
105. - C:\Users\[username]\AppData\Local\Temp\main.theme
106.  
107. TRAFFIC CAUSED BY ICEDID INSTALLER DLL:
108.  
109. - port 443 - support.apple.com
110. - port 443 - support.microsoft.com
111. - port 443 - help.twitter.com
112.  
113. - 159.89.174[.]73 port 443 - ldrfoxtrot[.]casa
114. - 194.5.249[.]184 port 443 - ldrvals[.]casa