Threat Research

Recent IcedID (Bokbot) activity – SANS Internet Storm Center

Securonix

IcedID (Bokbot) activity is described as thread-hijacked emails with PDFs linking to Google Firebase Storage hosting password-protected ZIP archives. The ZIP contains a digitally-signed EXE that installs IcedID on a Windows host, with persistence via scheduled tasks and a DLL loaded through rundll32, plus HTTPS-based C2 traffic to multiple domains. Hashtags: #IcedID #Bokbot #FirebaseStorage #SSLcom

Keypoints

  • IcedID is distributed via thread-hijacked emails with PDF attachments that push the malware.
  • PDFs contain links to Google Firebase Storage hosting password-protected ZIP archives used to deliver the payload.
  • The ZIP delivers a 64-bit EXE that is digitally signed by SSL.com and installs IcedID.
  • Persistence is achieved through a scheduled task and a persistent DLL loaded via rundll32.
  • C2 traffic is HTTPS-based to multiple domains/IPs (e.g., villageskaier.com, deadwinston.com) and includes BackConnect activity.
  • Reported IOCs include specific file names, hashes, and network indicators such as ZIP/DLL artifacts and URLs.

MITRE Techniques

  • [T1566.001] Phishing – Thread-hijacked emails with PDF attachments – “thread-hijacked emails with PDF attachments.”
  • [T1105] Ingress Tool Transfer – The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives.
  • [T1218.005] Signed Binary Proxy Execution – EXE is digitally-signed using a certificate issued by SSL.com.
  • [T1218.011] Rundll32 – Run method: rundll32.exe ,init –ashego=”” to load the persistent DLL.
  • [T1053.005] Scheduled Task – Scheduled task to keep the IcedID infection persistent.
  • [T1071.001] Web Protocols – IcedID C2: HTTPS traffic to domains/IPs such as villageskaier.com and deadwinston.com.

Indicators of Compromise

  • [Hash] 6d07c2e05e76dd17f1871c206e92f08b69c5a7804d646e5f1e943a169a8c50ee, 59e0f6e9c4ce2ab8116049d59525c6391598f2def4125515d86b61822926784f
  • [File name] INV_Unpaid_683_April.pdf, Docs_Inv_April_11_450.exe
  • [URL] http://80.77.23[.]51/lndex.php, https://firebasestorage.googleapis[.]com/v0/b/logical-waters-377622.appspot.com/o/MCRERY0iJA%2FDocs_Inv_April_11_450.zip?alt=media&token=799ca8a7-44ce-44e8-b93d-a346faaf0ea3
  • [Domain] shoterqana[.]com, villageskaier[.]com, deadwinston[.]com
  • [IP] 172.86.75[.]64, 192.153.57[.]82, 162.33.178[.]40
  • [File path] C:UsersAppDataRoaminglicense.dat

Read more: https://isc.sans.edu/diary/rss/29740

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint