Since the takedown of the Emotet malware operation in January by law enforcement agencies, security researchers have watched the malware landscape closely, wondering if another trojan would take up the slack. It appears that IcedID is making an effort to fill the void Emotet left, using rigged Excel spreadsheets as the delivery mechanism in a campaign that has been ongoing since the beginning of the year.
IcedID is not a new entrant on the malware scene by any means. It’s been in circulation for several years and in the past it has been part of the extended Emotet universe. Emotet often was used as an installer and conduit for other malware attacks, and in some campaigns attackers would use it to install IcedID after the initial infection. Like other banking trojans, IcedID mainly exists to gather credentials for banking sites and other targeted sites that the attackers can then use. There are a number of different versions of the malware and IcedID has numerous capabilities, including process injection and process hooking, and it has been used by several high-level cybercrime groups in the last few years.
Recently, researchers at Uptycs, a security analytics firm, have seen a large volume of malicious Microsoft Excel sheets that contain hidden malicious code that, when triggered through a macor, will eventually lead to a download of IcedID. Since Jan. 1, the Uptycs researchers identified more than 15,000 HTTP requests to the IcedID command-and-control servers from more than 4,000 of the malicious spreadsheets. The Excel files typically have some name that’s designed to entice victims to open them. Including words such as “claim”, “overdue”, or “refusal”.
"We believe that IcedID will emerge as an incarnation of Emotet, moving towards a Malware-as-a-Service."
Victims who do open the files will see a screen instructing them to enable macros in order to see the full contents of the sheet. When macros are enabled, the malicious formula embedded in the sheet will execute. The malware authors have used several different techniques to hide the formula itself, including writing in white type on the white background.
“The macros which are distributed across various cells download three DLL files with the .dat extension from the command-and-control (C2) servers to “C:\Users\Admin” - Hodas.vyur, Hodas.vyur1 and Hodas.vyur2. These DLL files are executed using - "rundll32 DllName, DllRegisterServer",” an analysis of the campaign by Uptycs researchers Ashwin Vamshi and Abhijit Mohanta says.
“The IceID loader then retrieves information about the victim PC and sends it over the C2 server in an encoded form.”
In a separate campaign identified by Microsoft, attackers are using emails generated by the contact forms on company websites to send links to Google sites that ask victims to sign in with their Google credentials. Once that's done, the site will download a zip file that includes code that will eventually download IcedID.
"In this campaign, we tracked that the malicious email that arrives in the recipient’s inbox from the contact form query appears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading detection. As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry," Microsoft's 365 Defender Threat Intelligence Team said.
As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.
This campaign is using the threat of legal action, along with the legitimate Google URL to add urgency and legitimacy to the messages.
In the past, IcedID has mainly been used in campaigns targeting victims in North America, and it has functioned as a banking trojan. Although it has some connections to other pieces of malware, it has not typically functioned as a dropper, as Emotet did. Emotet would often install either IcedID or Trickbot and it was also used as a conduit for the Ryuk ransomware. But with Emotet off the board, IcedID could be primed to make an entry into the malware-as-a-service realm.
“Given our recent observations, we believe that IcedID will emerge as an incarnation of Emotet, moving towards a Malware-as-a-Service (MaaS) model to distribute malware,” Vamshi and Mohanta said.