Visa's payment fraud disruption team is warning of a recently uncovered digital skimmer called "Baka" that is stealing payment card data from e-commerce sites while hiding from security tools.
Researchers discovered the malicious code while examining a command-and-control infrastructure that previously hosted the ImageID skimmer.
Although Baka functions similarly to other JavaScript skimmers, the Visa fraud team found that this malicious code is able to load dynamically into e-commerce sites and then hide from security tools using obfuscation techniques, according to the Visa alert.
The Baka skimmer has been found in "several merchant websites across multiple global regions," the alert notes, but it does not provide further details.
"The most compelling components of this kit are the unique loader and obfuscation method," the Visa alert notes. "The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. ... This skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated."
How Baka Works
The Visa alert does not indicate how Baka is initially delivered to a network. But the report notes that the malicious code is hosted on several suspicious domains, including: jquery-cycle[.]com, b-metric[.]com, apienclave[.]com, quicdn[.]com, apisquere[.]com, ordercheck[.]online and pridecdn[.]com.
Once the initial infection takes hold, the skimmer is uploaded through the command-and-control server, but the code loads in memory. This means the malware is never present on the targeted e-commerce firm's server or saved to another device, helping it to avoid detection, according to the alert.
"The skimming payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically," according to Visa.
Once embedded in an e-commerce site's checkout page, the skimmer begins to collect payment and other customer data from various fields and sends the information to the fraudsters' command-and-control server, Visa notes.
Once data exfiltration is complete, Baka performs a "clean-up" function that removes the skimming code from the checkout page, according to the alert. This also helps ensure that JavaScript is not spotted by anti-malware tools.
Visa's analysts found that the operators behind Baka use an XOR cipher as a way to obscure the malicious code and further hide it from detection, according to the alert.
"While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware," according to the alert.
Mitigating risks
The Visa alert advises e-commerce merchants to take several steps to mitigate skimming risks, including:
Run regular checks to determine if any code is attempting to communicate with a known command-and-control server;
Check code added through a service provider;
Vet content delivery networks and other third parties that have access to the checkout function;
Update and patch any software or services used on checkout sites and consider adding a firewall;
Limit access to online administrative portals and ensure that those with access use strong passwords.
Other Skimming Attacks
In November 2019, Visa researchers uncovered another type of skimmer called Pipka that had the ability to remove itself from the HTML of a compromised payment website after it executed, enabling it to avoid security detection (see: New JavaScript Skimmer Found on E-Commerce Sites).
Other security researchers have more recently warned about ongoing attacks against e-commerce websites using malicious JavaScript to steal payment card data.
For example, in August, security firm Group-IB warned of a cybercriminal gang called "UltraRank" that is using malicious code to skim payment card data and then selling that information to others on its own underground site (see: 'UltraRank' Gang Sells Card Data It Steals).
On November 19 2019, Malwarebytes announced its participation in a joint effort to stop invasive digital surveillance: the Coalition Against Stalkerware.
For years, Malwarebytes has detected and warned users about the potentially dangerous capabilities of stalkerware, an invasive threat that can rob individuals of their expectation of, and right to, privacy. Just like the domestic abuse it can enable, stalkerware also proliferates away from public view, leaving its victims and survivors in isolation, unheard and unhelped.
The Coalition Against Stalkerware is the next necessary step in stopping this digital threat—a collaborative approach steered by the promise of enabling the safe use of technology for everyone, everywhere. The coalition includes representatives from cybersecurity vendors, domestic violence organizations, and the digital rights space.
Our coalition’s founding members are Malwarebytes, Avira, Kaspersky, G Data, Norton Lifelock, National Network to End Domestic Violence, Electronic Frontier Foundation, Operation Safe Escape, WEISSER Ring, and the European Network for the Work with Perpetrators of Domestic Violence. Martijn Grooten, editor of Virus Bulletin, is serving as a special advisor.
Already, the coalition has produced results.
In the past month, both Malwarebytes and Kaspersky shared research and intelligence on stalkerware with one another. This exchange has improved the detection rate for both our products, but more than that, it has improved the safety of users everywhere.
Further, coalition members have taken on the task of defining stalkerware and creating its detection criteria, crucial steps in empowering the cybersecurity industry to better understand this threat and how to fight it.
Finally, the coalition’s website, StopStalkerware.org, includes information for domestic abuse survivors and advocates, including links to external resources, information about state laws, recent news articles, and survivors’ stories.
With this group, we are making a call to the broader cybersecurity industry: If you have ever made a promise to protect people, now is the time to uphold that promise. Stalkerware is a known, documented threat, and you can help stop it.
In this effort, we’ve analyzed more than 2,500 samples of programs that had been flagged in research algorithms as potential monitoring/tracking apps or spyware. We grew our database of known monitoring/spying apps to include more than 100 applications that no other vendor detects and more than 10 that were, as of October 1, still on the Google Play Store.
We are proud of our work, but we cannot ignore an important fact—it was not conducted in isolation.
Our blogs relied on the expertise of several domestic abuse advocates, along with the published work of researchers in intimate partner violence and digital rights. Our invitations to local community justice centers were as much about presenting as they were about learning. Our meetings with local law enforcement taught us about difficulties in collecting evidence of these invasive apps, and how domestic abusers can slip through the cracks of legal enforcement.
Every time we reached out, we learned more and we improved. With the Coalition Against Stalkerware, we hope to deepen these efforts.
At least two companies may have been dealt even more damage than the shipping giant, which lost nearly its entire global IT infrastructure.
The unprecedented 2017 NotPetya malware attack on global shipping giant Maersk has been well documented, but according to the organization's top cybersecurity executive, several other companies suffered equally if not even more devastating damage but have yet to publicly reveal the incidents.
Speaking at Black Hat Europe 2019, A.P. Moller Maersk A/S Chief Information Security Officer Andrew Powell said he believes globally approximately 600 companies were damaged by NotPetya around the time of the Maersk attack. Powell said that's because the source of the attackswas traced back to an application called M.E.Doc, a financial application that the Ukrainian government essentially requires any company to use if it is doing business in the country.
According to published reports, NotPetya was the key element in a nation-state-sponsored cyberattack campaign targeting the government of Ukraine. Instead, the malware proved to be far more virulent.
"Any company doing business in Ukraine and filing a tax return [in 2017] was hit," Powell said. "Very big companies in the U.S. got hit hard, two of them harder than us." Powell declined to name the companies and did not elaborate on how he came to know about these other organizations' NotPetya incidents. All told, estimates indicate the attack and recovery effort have cost Maersk nearly $300 million to date.
Published reports indicate NotPetya wreaked havoc all over the globe in nearly all industries. In the U.S., pharmaceutical giant Merck and shipping giant FedEx both lost more than $300 million from NotPetya as a result of cleanup and lost business.
Powell, a longtime information security executive, previously worked as a vice president for Capgemini, and spent nearly 30 years with the United Kingdom Royal Air Force, including serving as its CIO.
"We weren't alone," Powell said. "Maersk is one of the few companies that has been transparent about what happened. We haven't tried to disguise it or shy away from it."
An argument could be made, however, that Maersk had little choice. The Copenhagen-based shipping company, which transports approximately 20% of all global shipments, found itself virtually paralyzed by NotPetya in a matter of minutes.
Maersk NotPetya attack: What happened In retrospect, Powell said, Maersk wasn't well prepared to cope with an attack as sophisticated and crippling as NotPetya. In early 2017, he said, its cybersecurity maturity, like many manufacturing and logistics companies, was relatively low. Even though digital processes had become critical to Maersk's day-to-day operations, computer networks and server infrastructure weren't considered mission critical; what really mattered, according to the company, was its high-profile physical assets such as ports, ships, and shipping containers. Hence digital assets were minimally protected.
So once a Maersk user in its Odessa office was infected, it spread through the Maersk global network faster than anyone imagined possible.
"Within seven minutes," Powell said, "most of the damage was done."
And that damage was staggering. According to Powell, NotPetya destroyed 49,000 laptops, more than 1,000 applications, all printing and file-sharing systems were knocked offline, its enterprise service bus and VMware vCenter cloud-management servers were ruined, and its DHCP and Active Directory servers were rendered useless.
What proved to be especially devastating, Powell added, was that both its primary and backup Active Directory systems were taken out, a scenario Maersk never thought possible. "[NotPetya] was designed to destroy online backups specifically, preventing recovery using online backup methods," Powell said. "We had no copies of our Active Directory. We thought we had nothing to restart the network with."
How Maersk recovered Fortunately, a stroke of good luck came when IT leaders learned that the company's Lagos office had suffered a power outage during the NotPetya attack. Its IT systems – including its copy of the company's Active Directory – were undamaged. The Lagos AD node was physically removed, flown to Copenhagen, and used to rebuild the rest of the network. However, the AD recovery process alone took more than a week. Clearly, Powell said, it was a scenario Maersk should have planned for. "Nine days for an Active Directory recovery isn't good enough," Powell said. "You should aspire to 24 hours; if you can't, then you can't repair anything else."
Meanwhile, during that time, Maersk had no way of knowing what was in its millions of shipping containers worldwide, or how to deliver them to their destinations. The result was a massive cascade of supply chain disruptions that rippled around the world. One well-known European retailer, Powell noted as an example, depends on Maersk for nearly all its shipments. In the wake of NotPetya, the retailer risked running out of clothes to sell in its stores.
The company's physical command-and-control recovery processes were far more capable, and Powell said the company initiated those processes to quickly retain control of its kinetic assets, prioritizing management of its temperature-controlled shipments.
From an IT perspective, Powell was surprised the solution that proved to be most helpful during the recovery was WhatsApp. Employees quickly connected with each other on their personal mobile devices, and used WhatsApp groups to share information, discuss problems, develop solutions, and share with others to put them into action.
"The employees created groups around the way they operated," Powell said, adding that it proved to be a silver lining following the incident. "We used WhatsApp to help rebuild our business processes, and ultimately the attack helped us redesign our business."
Lessons learned Powell, who joined Maersk in June 2018 following the attack, said perhaps the most important lesson learned was that organizations must direct more IT resources into system recovery, especially offline backup capabilities. "Trust me, it is the best thing to invest in," Powell said, "because high-level nation-state cyberweapons will take out everything you have online."
Maintaining and ensuring data integrity must also be a focus of cybersecurity programs. Powell also said that attackers increasingly value data over infrastructure, and while any given attack campaign may appear focused on destroying data, the reality is that adversaries increasingly realize there is more value in simultaneously stealing the data and selling it later to the highest bidder.
Powell said specific technologies that Maersk has found to benefit from employing post-attack include endpoint detection and response, privileged access management, and a threat intelligence platform. Beyond any particular product, however, Maersk seeks to make cybersecurity a core tenant of its global day-to-day operations. As part of that effort, every employee in the company is now trained on cybersecurity, including what to do during a cybersecurity crisis.
"In Danish, safety and security is the same word," Powell said. "So it makes sense to put cybersecurity into our safety mindset. And that's really paying off for us."
Powell noted that while Maersk has dramatically improved its cybersecurity posture since the NotPetya attack, it is critical to understand that Maersk or any other organization could be hit with a similarly debilitating cyberattack at any time. Not only are nation-state-level cyberweapons falling into the hands of proxy adversaries, but these adversaries are probably already inside of most organizations, he said. "We have recognized at least three [nation-states] that have used a proxy to get into our network in the past six months, and they're doing that all around the globe."
By Eric Parizo, Senior Analyst, Ovum (DarkReading.com)
Security firm Proofpoint recentlypublished a reportabout a series of malspam campaigns they attribute to a threat actor called TA2101. Originally targeting German and Italian users with Cobalt Strike and Maze ransomware, the later wave of malicious emails were aimed at the US and pushing the IcedID Trojan.
During our analysis of this spam campaign, we noticed changes in how the payload was implemented, in particular with some code rewritten and new obfuscation. For example, the IcedID Trojan is now being delivered viasteganography, as the data is encrypted and encoded with the content of a valid PNG image. According to our research, those changes were introducedin September 2019(whilein August 2019the old loader was still in use).
The main IcedID module is stored without the typical PE header and is run by a dedicated loader that uses a custom headers structure. Our security analyst @hasherezade previously described this technique in a talk at the SAS conference (Funky Malware Formats).
In this blog post, we take a closer look at these new payloads and describe their technical details.
Distribution
Our spam honeypot collected a large number of malicious emails containing the “USPS Delivery Unsuccessful Attempt Notification” subject line.
Each of these emails contains a Microsoft Word document as attachment allegedly coming from the United States Postal Service. The content of the document is designed to lure the victim into enabling macros by insinuating that the content had been encoded.
Having a look at the embedded macros, we can see the following elements:
There is a fake error message displayed to the victim, but more importantly, the IcedID Trojan authors have hidden the malicious instructions within a UserForm as labels.
The labels containing numerical ASCII values
The macro grabs the text from the labels, converts it, and uses during execution:
67,58,92,87,105,110,100,111,119,115,92,84,101,109,112,92,101,114,101,100,46,116,109,112
converts to: C:\Windows\Temp\ered.tmp
The file wordupd.tmp is an executable downloaded with the help of the URLDownloadToFileA function, saved to the given path and run. Moving on, we will take a closer look at the functionality and implementation of the downloaded sample.
Behavioral analysis
As it had before, IcedID has been observed making an injection intosvchost, and running under its cover. Depending on the configuration, it may or may not download other executables, includingTrickBot.
Dropped files
The malware drops various files on the disk. For example, in %APPDATA%, it saves the steganographically obfuscated payload (photo.png) and an update of the downloader:
It also creates a new folder with a random name, where it saves a downloaded configuration in encrypted form:
Inside the %TEMP% folder, it drops some non-malicious helper elements:sqlite32.dll(that will be used for reading SQLite browser databases found in web browsers), and a certificate that will be used for intercepting traffic:
Looking at the certificate, we can see that it was signed by VeriSign:
Persistence
The application achieves persistence with the help of a scheduled task:
The task has two triggers: at the user login and at the scheduled hour.
Overview of the traffic
Most of the traffic is SSL encrypted. We can also see the use of websockets and addresses in a format such as “data2php?<key>“, “data3.php?<key>“.
Attacking browsers
The IcedID Trojan is known as a banking Trojan, and indeed, one of its important features is the ability to steal data related to banking transactions. For this purpose, it injects its implants into browsers, hooks the API, and performs aMan-In-The-Browser attack.
Inside the memory of the infectedsvchostprocess we can see the strings with the configuration for webinjects. Webinjects are modular (typically HTML and JavaScript code injected into a web page for the purpose of stealing data).
Webinjects configuration in the memory of infected svchost
The core bot that runs inside the memory ofsvchostobserves processes running on the system, and injects more implants into browsers. For example, looking at Mozilla Firefox:
The IcedID implant in the browser’s memory
By scanning the process withPE-sieve, we can detect that some of the DLLs inside the browser have been hooked and their execution was redirected to the malicious module.
In Firefox, the following hooks have been installed:
A different set was observed in Internet Explorer:
mswsock : hook_0[7852]->525d0[implant_code+15d0]
ws2_32.dll : connect->152728[implant_code+1728]
The IcedID module running inside the browser’s memory is responsible for applying the webinjects installing malicious JavaScripts into attacked pages.
Fragment of the injected script
The content of the inlined webinject script is available here:inject.js.
It also communicates with the main bot that is inside thesvchostprocess. The main bot coordinates the work of all the injected components, and sends the stolen data to the Command and Control server (CnC).
Due to the fact that the communication is protected by HTTPS, the malware must also install its own certificate. For example, this is the valid certificate for the Bank of America website:
And in contrast, the certificate used by the browser infected by IcedID:
The detailed analysis of this payload can be found here: [1][2][3].
The old loader vs. new
The loader of the previous version of the IcedID Trojan was described in detailhere, andhere. It was a packed PE file that used to load and inject a headerless PE.
The main module was injected intosvchost:
The implants in the svchost’s memory
The implanted PE was divided into two sections, and the first memory page (representing the header) was empty. This type of payload is more stealthy than a full PE injection (as is more common). However, it was possible to reconstruct the header and analyze the sample like a normal PE. (An example of the reconstructed payload is available here:395d2d250b296fe3c7c5b681e5bb05548402a7eb914f9f7fcdccb741ad8ddfea).
The redirection to the implant was implemented by hooking theRtlExitUserProcessfunction within svchost’s NTDLL.
Whensvchosttried to terminate, it instead triggered a jump into the injected PE’s entry point.
The hooked RtlExitUserProcess redirects to payload’s EP
The loader was also filling the pointer to the data page within the payload. We can see this pointer being loaded at the beginning of the payload’s execution:
In the new implementation, there is one more intermediate loader element implemented as shellcode. The diagram below shows the new loading chain:
The shellcode has similar functionality that was previously implemented by the loader in form of a PE. First it injects itself intosvchost.
Then it decompresses and injects the payload, which as before is a headerless PE (analogical to the one describedhere).
Comparing the core
The implementation of the core bot is modified. Yet, inside the code we can find some strings known from the previous sample, as well as a similar set of imported API functions. We can also see some matching strings and fragments of implemented logic.
Fragment of the code from the old implementation
Analogical fragment from the new sample:
Fragment of the code from the new implementation
Comparing both reconstructed samples with the help of BinDiff shows that there are quite a few differences and rewritten parts. Yet, there are parts of code that are the same in both, which proves that the codebase remained the same.
Preview of the similar functionsPreview of different/rewritten functions
Let’s follow the execution flow of all the elements from the new IcedID package.
The downloader
In the current delivery model, the first element of IcedID is a downloader. It is a PE file, packed by a crypter. The packing layer changes from sample to sample, so we will omit its description. After unpacking it, we get the plain version:fbacdb66748e6ccb971a0a9611b065ac.
Internally, this executable is simple and no further obfuscated. We can see that it first queries the CnC trying to fetch the second stage, requesting for aphoto.png. It passes a generated ID to the URL. Example:
Fragment of the function responsible for generating the image URL
The downloader fetches the PNG with the encoded payload. The downloader loads the file, decodes it, and redirects the execution there. Below we can see the responsible function:
Once the PNG is downloaded, it will be saved on disk and can be loaded again at system restart. The downloader will turn into a runner of this obfuscated format. In this way, the core executable is revealed only in memory and never stored on disk as an EXE file.
The “photo.png” looks like a valid graphic file:
Preview of the “photo.png”
In this fragment of code, we can see that the data from the PNG (section starting from the tag “IDAT”) is first decoded to raw bytes, and then those bytes are passed to the further decoding function.
The algorithm used for decoding the bytes:
The PNG is decrypted and injected into the downloader. In this case, the decoded content turns out to be a shellcode module rather than a PE.
The downloader redirecting the execution into the shellcode’s entry point
The loader passes to the shellcode one argument; that is the base at which it was loaded.
The loader (shellcode)
As mentioned before, this stage is implemented as a position-independent code (shellcode). The dumped sample is available here:624afab07528375d8146653857fbf90d.
This shellcode-based loader replaced the previously described (sources: [1][2]) loader element that was implemented as a PE file. First, it runs within the downloader:
As we can see from the downloader’s code, the shellcode entry point must first be fetched from a simple header that is at the beginning of the decoded module. We see that this header stores more information that is essential for loading the next element:
As this module is no longer a PE file, its analysis is more difficult. All the APIs used by the shellcode are resolved dynamically:
The strings are composed on the stack:
To make the deobfuscation easier, we can follow the obfuscated flow with the help of a PIN tracer. The log from the tracing of this stage shows APIs indicating code injection, along with their offsets:
Indeed, the shellcode injects its own copy, passing its entry point to the APC Queue. This time, some additional parameters are added as a thread context.
Setting parameters of the injected thread
Once the shellcode is executed from insidesvchost, an alternative path to the execution is taken. It becomes a loader for the core bot. The core element is stored in a compressed form within the shellcode’s body. First, it is decompressed.
From previous experiments, we know that the payload follows the typical structure of a PE file, yet it has no headers. Often, malware authors erase headers in memory once the payload is loaded. Yet, this is not the case. In order to make the payload stealthier, the authors didn’t store the original headers of this PE at all. Instead, they created their own minimalist header that is used by the internal loader.
First, the shellcode finds the next module by parsing its own header:
The shellcode also loads the imports of the payload:
Below, we can see the fragment of code responsible for following the custom headers definition, and applying protection on pages. After the next element is loaded, execution is redirected to its entry point.
The entry point of the next module where the function expects the pointer to the data to be supplied:
The supplied data is appended at the end of the shellcode, and contains: the path of the initial executable, the path of the downloaded payload (photo.png), and other data.
Reconstructing the PE
In order to make analysis easier, it is always beneficial to reconstruct the valid PE header. There are two approaches to this problem:
Manually finding and filling all the PE artifacts, such as: sections, imports, relocations (this becomes a problem in if all those elements are customized by the authors, as inthe case of Ocean Lotus sample)
Analyzing in detail the loader and reconstructing the PE from the custom header
Since we have access to the loader’s code, we can go for the second, more reliable approach: Observe how the loader processes the data and reconstruct the meaning of the fields.
A fragment of the loader’s code where the sections are processed:
The custom header reconstructed based on the analysis:
Fortunately, in this case the malware authors customized only the PE header. The Data Directory elements (imports and relocations) are kept in a standard form, so this part does not need to be converted.
The converter from this format to PE is available here:
Interestingly, the old version of IcedID used a similar custom format, but with one modification. In the past, there was one more DWORD-sized field before the ImportDirector VA. So, the latest header is shorter by one DWORD than the previous one.
Looking inside the strings of this module, we can guess that this element is responsible for all the core malicious operations performed by this malware. It communicates with the CnC server, reads the sqlite databases in order to steal cookies, installs its own certificate for Man-In-The-Browser attacks, and eventually downloads other modules.
We can see that this is the element that was responsible for generating the observed requests to the CnC:
During the run, the malware is under constant supervision from the CnC. The communication with the server is encrypted.
String obfuscation
The majority of the strings used by the malware are obfuscated and decoded before use. The algorithm used for decoding is simple:
In order to decode the strings statically, we can reimplement the algorithm and supply to it encoded buffers. Another easier solution is a decoder that loads the original malware and uses its function, as well as the encoded buffers given by offset. Example availablehere.
Decoding strings is important for the further analysis. Especially because, in this case, we can find somedebug strings left by the developers, informing us about the actions performed by the malware in particular fragments of code.
A list of some of the decoded strings is availablehere.
Available actions
The overview of the main function of the bot is given below:
The bot starts by opening a socket. Then, it beacons to the CnC and initializes threads for some specific actions: MiTM proxy, browser hooking engine, and a backconnect module (backdoor).
It also calls to a function that initializes handlers, responsible for managing a variety of available actions. The full list:
By analyzing closer to the handlers, we notice that similar to the first element, the main bot retrieves various elements as steganographically protected modules. The function responsible for decoding PNG files is analogical to the one found in the initial downloader:
Those PNGs are used to carry the content of various updates for the malware. For example, an update to the list of URLs, but also other configuration files.
Execution flow controlled by the CnC
The malware’s backconnect feature allows the attacker to deploy various commands on the victim machine. The CnC can also instruct the bot to decode other malicious modules from inside that will be deployed in a new process. For example:
If the particular command from the CnC is received, the bot will decompress another buffer that is stored inside the sample and inject it into a new instance ofsvchost.
The way in which this injection is implemented reminds us of the older version of the loader. First, the buffer is decompressed with the help of RtlDecompressBuffer:
Then, memory is allocated at the preferred address 0x3000.
Some functions from NTDLL and other parameters will be copied to the structure, stored at the beginning of the shellcode.
We can see there are some functions that will be used by the shellcode to load another embedded PE.
Similar to in the old loader, the redirection to the new entry point is implemented via hook set on the RtlExitUserProcess function:
After the buffer gets decompressed, we can see another piece of shellcode:
This shellcode is an analogical loader of the headerless PE module. We can see inside the custom version of PE header that will be used by the loader:
The custom header, containing minimal info from the PE header
This element is an additional backdoor, deploying on demanda hidden VNC. It is also referenced by the authors by the name “HDESK bot” (Help Desk bot) because it gives the attacker direct access to the victim machine, as if it were a help-desk service. Converted to PE:2959091ac9e2a544407a2ecc60ba941b
The “HDESK bot” deploys ahidden VNCto control the victim machine
Below, we will analyze the selected features implemented by the core bot. Note that many of the features are deployed on demand—depending on the command given by the CnC. In the observed case, the bot was also used as a downloader of the secondary malware, TrickBot.
Installing its own certificate
The malware installs its own certificate. First it drops the generated file into the %TEMP% folder. Then, the file is loaded and added to the Windows certificate store.
Fragment of Certificate generation function:
Calling the function to add the certificate to store:
Stealing passwords from IE
We can see that this bot goes after various saved credentials. Among the different methods used, we identified stealing data from the Credential Store. The used method is similar to the one describedhere.
We can see that it uses the mentioned GUID “abe2869f-9b47-4cd9-a358-c22904dba7f7” that was used to salt the credentials. After reading the credentials from the store, the bot undoes the salting operation in order to get the plaintext.
Stealing saved email credentials
The bot is trying to use every opportunity to extract passwords from the victim machine, also going after saved email credentials.
Stealing cookies
As we observed during the behavioral analysis, the malware drops the sqlite3.dll in the temp folder. This module is further loaded and used to perform queries to browsers’ databases with saved cookies.
Fragment of code responsible for loading sqlite module
The malware searches the files containing cookies of particular browsers:
We can see the content of the queries after decoding strings:
SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
It targets Firefox, as well as Chrome and Chromium-based browsers:
The list of targeted Chromium browsers
Fragment of the code performing queries:
The list of queries to the Chrome’s database:
SELECT name, value FROM autofill
SELECT guid, company_name, street_address, city, state, zipcode, country_code FROM autofill_profiles
SELECT guid, number FROM autofill_profile_phones
SELECT guid, first_name, middle_name, last_name, full_name FROM autofill_profile_names
SELECT card_number_encrypted, length(card_number_encrypted), name_on_card, expiration_month || "/" ||expiration_year FROM credit_cards
SELECT origin_url,username_value,length(password_value),password_value FROM logins WHERE username_value <> ''
SELECT host_key, path, is_secure, (case expires_utc when 0 then 0 else (expires_utc / 1000000) - 11644473600 end), name, length(encrypted_value), encrypted_value FROM cookies
The list of queries to the Firefox’s database:
SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
All the found files are packed into a TAR archive and sent to the CnC.
Similarly, it creates a “passff.tar” archive with stolen Firefox profiles:
Hooking browsers
As mentioned earlier, the malware attacks and hooks browsers. Since the analogical functionality is achieved by different functions within different browsers, a set of installed hooks may be unique for each.
First, the malware searches for targets among the running processes. It uses the following algorithm:
It is similar to the one from the previous version (describedhere), yet we can see a few changes, i.e. the checksums are modified, and some additional checks are added. Yet, the list of the attacked browsers is the same, including the most popular ones: Firefox, MS Edge, Internet Explorer, and Chrome.
The browsers are first infected with the dedicated IcedID module. Just like all the modules in this edition of IcedID, the browser implant is a headerless PE file. Its reconstructed version is available here:9e0c27746c11866c61dec17f1edfd2693245cd257dc0de2478c956b594bb2eb3.
After being injected, this module finds the appropriate DLLs in the memory of the process and sets redirections to its own code:
Parsing the instructions and installing the hooks:
Then, the selected API functions are intercepted and redirected to the plugin. Usually the hooks are installed at the beginning of functions, but there are exceptions to this rule. For example, in case of Internet Explorer, a function within themswsock.dllhas been intercepted in between:
Looking at the elements in memory involved in intercepting the calls: the browser implant (headerless PE), and the additional memory page:
Example of the hook in Firefox:
Step 1: the functionSSL_AuthCertificateHookhas a jump redirecting to the implanted module:
Step 2: The implanted module calls the code from the additional page with appropriate parameters:
Step 3: The code at the additional page is a patched fragment of the original function. After executing the modified code, it goes back to the original DLL.
The functionality of this hook didn’t change from the previous version.
Webinjects
The bot gets the configuration from the CnC in the form of .DAT files that were mentioned before. First, the file is decoded by RC4 algorithm. The output must start from the “zeus” keyword, and is further encoded by a custom algorithm. Scripts dedicated for each site are identified by a script ID.
After the files are loaded and decoded, we can see the content:
There are multiple types of webinjects available to perform by the bot:
Depending on the configuration, the bot may replace some parts of the website’s code, or add some new, malicious scripts.
Executing remote commands
In case the commands implemented by the bot are not enough for the needs of the operator, the bot allows a feature of executing commands from the command line.
The output of the run commands is sent back to the malware via named pipe, and then supplied back to the CnC.
Mature banker and stealer
As we can see from the above analysis, IcedID is not only a banking Trojan, but a general-purpose stealer able to extract a variety of credentials. It can also work as a downloader for other modules, including covert ones, that look like harmless PNG files.
This bot is mature, written by experienced developers. It deploys various typical techniques, including Zeus-style webinjects, hooks for various browsers, hidden VNC, and backconnect. Its authors also used several known obfuscation techniques. In addition, the use of customized PE headers is an interesting bonus, slowing down static analysis.
In recent updates, the malware authors equipped the bot with steganography. It is not a novelty to see it in the threat landscape, but it is a feature that makes this malware a bit more stealthy.
