Threat Research

Spoofed Invoice Used to Drop IcedID | FortiGuard Labs 

Securonix

FortiGuard Labs uncovered a spearphishing operation targeting a Kyiv fuel company that used a spoofed invoice to entice a recipient to open a zipped attachment containing an ISO image that drops the IcedID banking Trojan. The actors use a LNK shortcut and Regsvr32-based DLL execution to install a dropper and establish C2 communication, highlighting a crafty deployment method aimed at persistence and lateral access. #IcedID #FortiGuardLabs #Fortinet #Ukraine #Belize #Regsvr32

Keypoints

  • The phishing email spoofed an invoice from another fuel provider and originated from a Belize-based IP address, aiming to appear legitimate.
  • Attachment is invoice_15.zip containing invoice_15.iso; Windows ISO mounting tricks are used to disguise malicious content as a document.
  • The ISO reveals a DLL-loaded dropper; a shortcut (LNK) is used to trigger Regsvr32 to register main.dll and start execution.
  • main.dll acts as a dropper for IcedID, with decoy content designed to mislead analysts and evade quick IOC blocking.
  • IcedID collects information from the infected host (IP address, domain trusts, domain admins) and attempts outbound C2 communication to multiple addresses.

    • <liFortinet lists specific IOCs (filenames, hashes, domains, and IPs) and notes protections across Fortinet products and phishing training options.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – The e-mail originated from an IP address in Belize and spoofed the sender to appear legitimate. ‘The e-mail originated from an IP address in Belize, at 179[.]60[.]150[.]96. It spoofs the originating e-mail address to appear to have been sent from another fuel provider in Ukraine.’
  • [T1204.002] User Execution – Malicious attachment execution – Attaching invoice_15.zip and instructing extraction to begin infection (‘Attached to the e-mail is a file named “invoice_15.zip”. Extracting the Zip file will drop “invoice_15.iso” and begin the first phase of infection.’)
  • [T1218] Signed Binary Proxy Execution – Regsvr32 usage – Regsvr32 is used to register “main.dll” with the Windows registry and launch the code contained within. (‘…Regsvr32 is used to register “main.dll” with the Windows registry and launch the code contained within.’)
  • [T1082] System Information Discovery – Information gathered via Windows command-line tools – The malware uses tools to obtain local environment data (e.g., local IP via ipconfig, domain trusts via nltest, domain admins via net group). ‘As seen in Figure 7, once running, the malware uses several Windows command-line tools to obtain information about the local environment. These include capturing the local IP address (ipconfig), enumerating domain trusts (nltest), and capturing a list of domain administrators (net group), among others.’
  • [T1071.001] Web Protocols – C2 communication – The sample attempts outbound communication to a C2 server with multiple fallback addresses. ‘The sample then tries to communicate outbound to a command and control (C2) server. There are multiple addresses the malware can connect to in the event one of the destinations becomes unavailable.’

Indicators of Compromise

  • [Filename] – invoice_15.zip, invoice_15.iso, document.lnk, main.dll, Arur.exe – phishing delivery artifacts forming the infection chain
  • [SHA256] – 83bd20009107e1f60479016046b80d473436d3883ad6989e5d42bc08e142b5bb, 3542d5179100a7644e0a747139d775dbc8d914245292209bc9038ad2413b3213 – file hashes for the dropped components
  • [Network] – 160[.]153[.]32[.]99, 160[.]90[.]198[.]40 – IP addresses used for C2 or distribution
  • [Domain] – yourgroceries[.]top, ssddds1ssd2[.]com – domains involved in C2 or delivery
  • [Hostname] – ip-160-153-32-99[ip].secureserver.net – DNS/hostname indicator related to the infrastructure

Read more: https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id