Threat Research

IcedID leverages PrivateLoader

Securonix

IcedID is evolving its delivery by using PrivateLoader as a load service, with SmokeLoader handling payloads and DNS-based C2 activity to fetch additional modules. The report ties together multiple loaders, ransomware and stealer payloads, and questions why major threat actors would rely on a service that also drops ransomware for others. #IcedID #PrivateLoader #SmokeLoader #DjvuRansomware #RaccoonStealer #RedLineStealer #CoinSurf #TrickBot #Qakbot #DanaBot #Dridex

Keypoints

  • PrivateLoader continues to function as a loading service and now leverages SmokeLoader to deliver loads.
  • SmokeLoader tasks are retrieved via external locations (e.g., buildz.exe, bulking.exe, csflow.exe) and connect to a C2 domain pattern tied to IcedID load events.
  • DNS resolutions show SmokeLoader in contact with deficulintersun[.]com, identified as the C2 for an IcedID loader.
  • The SmokeLoader chain leads to additional payloads, including a Djvu ransomware sample embedded in a loader sequence.
  • Decoded strings indicate ransom notes and encryption claims, with “All your files … encrypted with strongest encryption and unique key.”
  • PrivateLoader has been used by other major loaders/stealers (e.g., TrickBot, Qakbot, DanaBot, Dridex), raising questions about ecosystem usage and conflicts of interest among operators.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – The loader uses a signed binary to execute the payload: “The file is a self extracting EXE signed by ‘Nir Sofer’, the extracted EXE inside of it ends up being a simple .NET based loader which will download and execute more .NET code.”
  • [T1105] Ingress Tool Transfer – The loader downloads additional payloads from external locations, e.g., “Location: http://rgyui.top/dl/buildz.exe” as part of the task set.
  • [T1071.004] DNS – The operation uses DNS resolutions and a C2 domain, e.g., “the domain ‘deficulintersun[.]com’ is the C2 for an IcedID loader.”
  • [T1486] Data Encrypted for Impact – The Djvu payload notes that “All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key,” with payment as a decryption guarantee.

Indicators of Compromise

  • [Domain] context – host-file-host6.com, host-host-file8.com, deficulintersun.com, acacaca.org, rgyui.top, allejee.com
  • [IP] context – 193.233.193.14, 194.87.31.137, 2.58.28.60
  • [Hash] context – 03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0
  • [URL] context – http://rgyui.top/dl/buildz.exe, https://dl.uploadgram.me/62e817d1aff5ah?dl
  • [File Name] context – buildz.exe, bulking.exe

Read more: https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f