Threat Research

More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID

Securonix

Unit 42 reveals a polyglot CHM file used to deliver the IcedID information stealer, weaving deception to evade detection by showing a benign decoy window first and launching malicious activity on a second run. The threat chain includes phishing with a ZIP, an ISO containing a CHM, concealed code executed via Mshta, and a 64-bit IcedID DLL that hides its configuration to exfiltrate indicators of compromise like a C2 URL and a campaign ID. #IcedID #Bokbot #CHM #Mshta #StarchyTaurus #EvasiveSerpens

Keypoints

  • The campaign uses a polyglot CHM file embedded in a ZIP and ISO container to conceal the final IcedID payload.
  • A decoy HTML help window is shown first, while a hidden HTA/CHM execution chain runs a second time to deliver the payload.
  • Mshta.exe is used to re-execute the CHM file a second time, enabling the hidden payload to run.
  • The IcedID DLL (app.dll) is embedded within the ISO and revealed via the attrib command; it is the 64-bit IcedID component delivering the steal/payload.
  • The IcedID DLL’s configuration is encoded in its data section and decoded at runtime, exposing IoCs such as a C2 URL and a campaign ID.
  • Indicators of compromise include specific file names, SHA256 hashes, and a C2 domain associated with the campaign.
  • Palo Alto Networks protections (e.g., Cortex XDR, WildFire) can detect and block similar anti-analysis techniques and payloads.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – The attack that was discovered in early August 2022 starts with a phishing email that includes an attached zip file named erosstrucking-file-08.08.2022.zip.
  • [T1036] Masquerading – Polyglot CHM files are used to conceal payloads and evade file-type detection, hiding from anti-malware systems that rely on file format identification.
  • [T1218.005] Mshta – The command calls Mshta.exe to execute itself (pss10r.chm) a second time.
  • [T1027] Obfuscated/Compressed Files and Information – The IcedID DLL’s configuration is encoded and stored in the data section of the binary and decoded at runtime.

Indicators of Compromise

  • [File name] context – erosstrucking-file-08.08.2022.zip, order-130722.28554.iso, pss10r.chm, app.dll
  • [SHA256] context – fb6d23f69d14d474ce096da4dcfea27a84c93f42c96f6dd8295d33ef2845b6c7, d403df3fb181560d6ebf4885b538c5af86e718fecfabc73219b64924d74dd0eb
  • [SHA256] context – 3d279aa8f56e468a014a916362540975958b9e9172d658eb57065a8a230632fa, d240bd25a0516bf1a6f6b3f080b8d649ed2b116c145dd919f65c05d20fc73131
  • [Domain] abegelkunic[.]com

Read more: https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint