2020-07-28 (Tuesday) - TA551 word docs pushing IcedID (Bokbot)

2020-07-28 (TUESDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)

REFERENCE:

- https://twitter.com/malware_traffic/status/1288207411824795653

NOTES:

- More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/

- Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.

- Today, the TA551 (Shathak) campaign in some cases used cURL to retrieve the IcedID installer DLL, but in others examples it did not use cURL.

- All the files below have been submitted to bazaar.abuse.ch

- All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch

22 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:

- 039656f8243e9e537900ba68d8423c4d7184ee10c674aa3b27f91036d455f5e7  legal paper_07.20.doc
- 0870014bc562398f6abd9f7f696125fe3011514b3f00aee681c26332ed54dbff  deed contract 07.28.2020.doc
- 12b06f5a1fc87d6dd87d27f757ad8459326ed14cd8281322a286eb2e7746ba3a  material-07.28.2020.doc
- 218b4a719235caf750e6fda2dc3229e3b8b1fcd356bb8eab9595d5a386b92abe  specifics-07.20.doc
- 2707b436f988971e1815829709757c8d16deb127754dc28ccbed5e84e108da0a  statistics,07.20.doc
- 28bb801aa3dd211f9523f177a9ae26f92be2f231d772fced6d3f820336771efe  dictate,07.28.2020.doc
- 387cdfcf67b4da48cc776beac716cc23f7df5a76070ea7a194cb51289a6b5deb  direct.07.20.doc
- 4a32f27e6f5a8eabed71deea02e7b1376e51773df279057a186afec4a2383430  rule.07.20.doc
- 58d2da9734e0b24325d6ba4a98192c63acc9777030b46b978e02a1de94a9bebe  inquiry_07.20.doc
- 5d6d0b4724435390f4b7cee53818d57de355e9fce908fc9eba3eb94e827f10d9  inquiry-07.20.doc
- 728ebe4d9c2159cde89df4c7d8d231f355140cec8c62f87a1426ea1dbdad785d  bid 07.28.20.doc
- 8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1  legal paper_07.28.2020.doc
- 8e382b34276f8a42ee4c136c43ecbdff7c060c82995cac7bb1bc00413d5bcaae  question,07.20.doc
- ae04de29b06fa33bd3a227ed6408254fe82916fa057f009ed355a04d86573ace  docs-07.20.doc
- b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1  document,07.20.doc
- ce10adcc2ae1459b5beadb88a408d2825f272006c648d3b353a9ed1d53b7ebb9  documents 07.28.2020.doc
- cf2f969423de372c2649bade9139afed3a8fd277a51902f34a3b14567e7467c7  facts_07.20.doc
- d20708c9395310f9fcf5d1bc735378e1bddfdbd54efc4ef569edf65a6034657b  details_07.28.2020.doc
- d77845f1806ae94b32e01192ab65493548fec4cdedc02c0f0c89053eb06aa215  details,07.20.doc
- dee2b395158c42d849060164f4132ddef7c3aa33288b0ae6775fd88c746be6ed  enjoin-07.20.doc
- e7c1916efb3298b5f4537e195aa957664971e19f29561863c3751275006d631d  report-07.20.doc
- e83da5fd9fb4d4c4a7e48bdaba482d024787a31d4ddf4d3fc5ed4b3fb7554a59  docs_07.28.20.doc

AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:

- 0uso87[.]com - 185.239.51[.]217
- 60c4wn[.]com - 185.119.57[.]20
- 8cfayv[.]com - 92.63.98[.]49
- apc846[.]com - 92.63.98[.]141
- c3au3r[.]com - 89.191.227[.]140
- qzg0oi[.]com - 92.63.98[.]30
- ycjjvl[.]com - 185.239.50[.]118
- yt549w[.]com - 89.191.225[.]190
- vkr0bt[.]com - 82.146.41[.]87
- zgo2ze[.]com - 185.239.50[.]116

HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:

- GET /bolb/jaent.php?l=liut1.cab
- GET /bolb/jaent.php?l=liut2.cab
- GET /bolb/jaent.php?l=liut3.cab
- GET /bolb/jaent.php?l=liut4.cab
- GET /bolb/jaent.php?l=liut5.cab
- GET /bolb/jaent.php?l=liut6.cab
- GET /bolb/jaent.php?l=liut7.cab
- GET /bolb/jaent.php?l=liut8.cab
- GET /bolb/jaent.php?l=liut9.cab
- GET /bolb/jaent.php?l=liut10.cab
- GET /bolb/jaent.php?l=liut11.cab
- GET /bolb/jaent.php?l=liut12.cab
- GET /bolb/jaent.php?l=liut13.cab
- GET /bolb/jaent.php?l=liut14.cab
- GET /bolb/jaent.php?l=liut15.cab

22 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:

- 082c37029ae98221ceb74eda3ff2ca6466dabb49080ce0343a7463699ea451bd
- 1226f06efc6ec7de3acc3612bb777846643361a09d226c41bf4ef745c1a34683
- 252aae7a965a2fbb2bb5e1d51a1da836fec68bbe7552ad8c5134a3a1ee873af3
- 2a40ab63e0da2da3c16ecbee0eab68f7572fb765788f87f9d5c446994bb7cd24
- 327e74266c32db3be1a8d97680808dae8eca9ece47e54a0a2dd3d05bd82e0229
- 4034c710ef15fc9f912432d31817bd98a100d909c1c97b09dbcf58c8ca6b9d81
- 47300c5428551b47d47e40c1e0b96460b2a0d4f5b370db241892381cece57260
- 49545ac232947f35d2a9e0e32bd8c106f188b2b4fe412f6a492af3ee928fbd5e
- 4cd6ca9e36b8871754a3904018d67cff4ce8b0cf78b07c906a73962e0b26be46
- 5b70013de8ecc7b8abeb19d8f79778a9ce359a4c107f109f315633fc67839155
- 6a9a322e68a49edc6def678051843ad3fdb2be385de2f9cc924309daaa9e1dd6
- 9faabefae513e08168beb59d0c43bb808e0e1a1f5db0ecd84ca38190887228c5
- badc69230c3a7ea3c726209c29983b26cd9c0f908d302a754c813f2b03b1608a
- bbba62fd27ddca3936108c7a7528fd6f7ffd36de5426f345efd67071752da7cd
- c4666a49eebe8c110cd96e5c7a158dab93ce5dcec67a82d148e3e3c691ced74e
- d01e2855e1ec680ec524223de287fcdae55b6e5bcf6fd75b29323291ed3f38b9
- d69a6522331e3eed2b457dadfaadc15a063c199edd53189068990424fc5a1aa2
- d97b51ddc7d0a774fe90eb28f414a01f8d4fc6f4884d48cea952f0fafd634c68
- dd9adf52e33980df9ebb82672e2dac9481216b7a1f43c99b4d3fc6b0e0ca1e99
- e0d95fb5cdc39ae78f0ec651050285bac678c0314c2de07b34a361a93a6c464e
- e9abcecf77c0c55f725bfe2c433428c3223254c94646b68acdda4f3bfd08f37c
- f017946be3eebc95390540a4346eb8d35872492e9d0635b04acc3f747930e8a8

- NOTE: All the above DLL files run with: Regsvr32.exe [filename]

TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:

- C:\ProgramData\1.tmp
- C:\Users\[username]\AppData\Local\Temp\main.theme

TRAFFIC CAUSED BY ICEDID INSTALLER DLL:

- port 443 - support.apple.com
- port 443 - support.microsoft.com
- port 443 - help.twitter.com

- 159.89.174[.]73 port 443 - ldrfoxtrot[.]casa
- 194.5.249[.]184 port 443 - ldrvals[.]casa