Research by Ashwin Vamshi and Abhijit Mohanta
- IcedID appears to be taking the place of Emotet, based on a significant influx of samples in our threat intelligence systems
- A majority of these IcedID samples are distributed via xlsm files attached to emails
- We’ve identified three ways these Excel 4 Macros are evading detection
Uptycs’ threat research team has observed an ongoing IcedID campaign heavily using Microsoft Excel xlsm documents with Excel 4 Macros and techniques to hinder analysis. Xlsm supports the embedding of Excel 4.0 Macros formulas used in Excel spreadsheet cells. Attackers leverage this functionality to embed arbitrary commands, which usually download a malicious payload from the URL using the formulas in the document.
In this piece, we’ll provide an analysis on our discovery of the ongoing campaign via Uptycs’ threat intelligence.
IcedID, also known as BokBot, is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware. In a three month span, we have observed over 15,000 HTTP requests from malicious documents, the majority of which were Microsoft Excel spreadsheets carrying an extension.
Based on this increasing trend, we believe that IcedID will emerge as an incarnation of Emotet after its disruption. IcedID has also been recently reported to deploy ransomware operations, moving towards a malware-as-a-Service (MaaS) model to distribute malware.
Threat Intelligence Analysis
Our in-house threat intelligence systems provide us intelligence on the latest threats, threat actors and campaigns through an osquery-based sandbox. The threat research team regularly monitors these systems to ensure robust coverage, also ingesting the latest intelligence and indicators into our integrated Threat Intelligence provided in the Uptycs Security Analytics Platform.
From January 1, 2021 through March 31, 2021, we identified over 15,000 HTTP requests from over 4,000 similar malicious documents (see Figure 1).
Figure 1: Threat Intelligence system HTTP requests cluster. (Click to see larger version.)
93% of these malicious office documents belong to a Microsoft Excel spreadsheet file carrying extensions xls or xlsm (see Figure 2).
Figure 2: Malicious document types.
The Microsoft Excel spreadsheet files (.xlsm, xls) were carrying the names:
- complaint and compensation claim
These files appeared with randomly appended names like Claim_331903057_03292021.xlsm.
The http request of the malicious documents consisted of a second stage executable file (PE - EXE/DLL) with a fake extension dat, jpg and gif (see Figure 3).
Figure 3: Second stage PE file with fake extensions like dat,gif and jpg.
The fake extensions were the second stage payload of Qakbot and IcedID malware families. Qakbot and IcedID are generally distributed via email lures containing malicious office documents as an attachment. The next stage executables (PE - EXE/DLL) are downloaded via compromised websites with fake extensions.
Technical Analysis: XLSM Files Excel 4.0 Macros
A majority of these Microsoft Excel spreadsheet documents were in xlsm format. One such xlsm document that recently hit our in-house osquery-based sandbox was titled, “Claim_331903057_03292021.xlsm” (Hash - 43226874cd34010fa7c8286974174b5e261677ed0b48ed0632903112f68720a8).
Upon execution, the xlsm file presented a message to enable content to view the message.
Figure 4: Message Upon Execution of Claim_331903057_03292021.xlsm. (Click to see larger version.)
Enabling the content allows the embedded Excel 4 macro formulas to execute. Upon investigation we identified three interesting techniques used to hinder analysis:
- Hiding macro formulas in three different sheets
- Masking the macro formula using a white font on white background
- Shrinking the cell contents and making the original content invisible
Figure 5: Hidden macro found in Claim_331903057_03292021.xlsm. (Click to see larger version.)
Upon unmasking the anti-analysis techniques, the Excel 4 macro formula used for downloading the IcedID loader payloads was revealed.
Figure 6: Unhidden XLM 4 macros - the IcedID payload URL’s. (Click to see larger version.)
The macros which are distributed across various cells download three DLL files with the .dat extension from the command-and-control (C2) servers to “C:\Users\Admin” - Hodas.vyur, Hodas.vyur1 and Hodas.vyur2. These DLL files are executed using - "rundll32 DllName, DllRegisterServer".
The IcedID loader then retrieves information about the victim PC and sends it over the C2 server in an encoded form, as shown in Figures 7 and 8.
Figure 7: IcedID loader encoding routine.
Figure 8: IcedID loader http request headers. (Click to see larger version.)
The http headers translate to the following:
- _gat= NativeSystemInfo
- _u= UserName
- _gid= AdaptersInfo
Uptycs’ EDR capabilities detected this attack with a threat score of 10/10 as shown in the figure below.
Figure 9: Uptycs EDR detection of the IcedID xlsm file. (Click to see larger version.)
Given our recent observations, we believe that IcedID will emerge as an incarnation of Emotet, moving towards a Malware-as-a-Service (MaaS) model to distribute malware. We recommend the following measures for enterprise users and administrators to identify and protect against such attacks:
- Deploy a multi-layered and real-time detection solution to label, classify, score and prioritizes incidents.
- Regularly monitor the suspicious processes, events, and network traffic spawned on the execution of any suspicious documents arriving from untrusted sources.
- Always be cautious in opening documents from unknown or untrusted sources.
- Keep systems updated with the latest releases and patches.
Credits: Thanks to our Uptycs Team members Rohit Bhagat for making enhancements with clustering in our threat intelligence portal and Siddharth Sharma for the analysis.