Trend Micro researchers document a shift in the IcedID botnet’s distribution, now leveraging Google PPC malvertising to push the malware via fake pages of legitimate brands and apps. The campaign uses a patched loader built into DLLs, executed through a chain that ultimately delivers backdoor payloads, highlighting the need for layered security against malvertising and evasive loaders. #IcedID #malvertising #GooglePPC #KeitaroTrafficDirectionSystem #AnyDesk #Slack #TeamViewer #IRS
Keypoints
- The IcedID botnet is using Google pay-per-click (PPC) ads to distribute malware via malvertising since December 2022.
- Attackers hijack keywords for well-known brands and applications to display malicious ads that lead users to malicious sites.
- Malicious ads redirect users to look-alike websites (e.g., Slack) to entice downloads of malware packaged as installers.
- The infection chain involves delivering an MSI-based loader, which then fetches the bot core and drops a backdoor payload.
- A new loader is used: a patched legitimate DLL-based loader that replaces a legitimate export with a malicious “init” function, complicating ML-based detection.
- Modified DLLs (tcl86.dll, sqlite3.dll, ConEmuTh.x64.dll, libcurl.dll) are used as part of the loader infrastructure, with the last ordinal export replaced to invoke the loader.
- Execution flow follows a sequence: MsiExec.exe (msiexec) launches, then rundll32.exe, which runs the loader via an MSI with the init export, enabling follow-on payloads such as backdoors and potential ransomware-ready capabilities.
- The campaign demonstrates how IcedID can deliver other payloads (e.g., Cobalt Strike) and emphasizes layered security protections, including sandboxing, ML-based detection, and ad blockers to mitigate malvertising.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising leads users to malicious sites via hijacked Google Ads and branded keywords. – ‘malicious ads that lure unsuspecting search engine users to downloading malware’
- [T1218.007] System Binary Proxy Execution: msiexec – The loader is invoked through MsiExec.exe as the parent process. – ‘MsiExec.exe executes (parent process)’
- [T1218.011] System Binary Proxy Execution: rundll32.exe – The loader is executed by spawning rundll32.exe and chaining it to run the malicious actions. – ‘rundll32.exe is spawned’ and ‘The custom action spawns a second “rundll32.exe” to run the IcedID loader … with the “init” export function’
- [T1027.009] Embedded Payloads – The loader is delivered as an MSI and invoked via an embedded payload in a DLL-based loader chain. – ‘to run the IcedID loader “MSI3480c3c1.msi” with the “init” export function’
- [T1036] Masquerading – Legitimate DLLs are modified to host the malicious loader, altering exports to disguise behavior. – ‘The authors have taken a legitimate DLL and replaced a single legitimate function with the malicious loader function …’
Indicators of Compromise
- [DLL] Modified loader libraries – tcl86.dll, sqlite3.dll, ConEmuTh.x64.dll, libcurl.dll (used as loader components)
- [MSI] Malicious loader file – MSI3480c3c1.msi
- [Brand] Targeted brands/applications used in malvertising – Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, LibreOffice, OBS Project, Ring, Sandboxie, Slack, TeamViewer, Thunderbird, IRS
- [File] MSI-based loader and exports – “init” export function used by the loader