Threat Research

Google ads lead to fake software pages pushing IcedID (Bokbot)

Securonix

Two reports show Google Ads leading to fake software pages that push IcedID (Bokbot) via SEO poisoning and multiple redirects, including a fake AnyDesk site that downloads a malicious ZIP. The infection chain delivers an MSI that drops a DLL to install IcedID, followed by Cobalt Strike, Sliver/DonutLoader activity, and various exfiltration and C2 communications. #IcedID #Bokbot #AnyDesk #SEOpoisoning #GoogleAds

Keypoints

  • Criminals use Google ads and SEO poisoning to route searches for legitimate software to fake download pages hosting IcedID (Bokbot).
  • A fake AnyDesk page is reached via a Google Ad Services URL and a malicious traffic distribution system (TDS) domain.
  • The fake AnyDesk page prompts users to download a ZIP archive hosted on Google Firebase Storage containing an MSI installer.
  • Running the MSI drops and runs a DLL to install IcedID on the victim host, with rundll32.exe used to execute the DLL.
  • Post-infection activity includes Cobalt Strike activity (PowerShell-based first instance, additional payloads), Sliver/DonutLoader infrastructure, and VNC backchannel communications.
  • Indicator coverage includes multiple IPs, domains, file hashes, and a ZIP/MSI pair with persistent IcedID artifacts.

MITRE Techniques

  • [T1189] Drive-by Compromise – Attacker delivers malware through fake software sites accessed via search ads and redirects. Quote: ‘SEO poisoning… This is an effective way for criminals to distribute their malware.’
  • [T1204.002] User Execution: Malicious File – User double-clicks an MSI that drops and runs a DLL to install IcedID. Quote: ‘Double-clicking the .msi file on a vulnerable Windows host caused it to drop and run a DLL to install IcedID on the victim’s system.’
  • [T1059.001] PowerShell – PowerShell script used for first instance of Cobalt Strike activity. Quote: ‘PowerShell script for first instance of Cobalt Strike activity.’
  • [T1021.005] Remote Services: VNC – Backchannel traffic via VNC for remote control. Quote: ‘IcedID backchannel traffic with VNC.’
  • [T1071.001] Web Protocols – C2 and updates over HTTPS/Web protocols. Quote: ‘HTTPS traffic’ and ‘C2 traffic over HTTPS.’
  • [T1105] Ingress Tool Transfer – Initial payloads downloaded (e.g., h.exe) during second-stage Cobalt Strike activity. Quote: ‘GET /download/h.exe’ and ‘Ingress Tool Transfer’.
  • [T1218] Signed Binary Proxy Execution: Rundll32 – Execution via rundll32.exe to run the dropped DLL. Quote: ‘Run method: rundll32.exe [filename],init’

Indicators of Compromise

  • [IP] 143.198.92.88 – klepdrafooip.com – GET / HTTP/1.1 (traffic generated by the IcedID installer DLL)
  • [IP] 94.140.114.40 – primsenetwolk.com – HTTPS traffic
  • [IP] 94.140.114.40 – onyxinnov.lol – HTTPS traffic
  • [IP] 158.255.211.126 – trashast.wiki – HTTPS traffic
  • [IP] 51.195.169.87 – port 8080 – VNC backchannel
  • [IP] 176.105.202.212 – GET /adcs4 (First Cobalt Strike activity)
  • [IP] 172.67.130.194 – kingoflake.com – HTTPS traffic
  • [IP] 199.127.62.132 – GET /download/h.exe (Second Cobalt Strike activity)
  • [IP] 108.177.235.187 – bukifide.com – HTTPS traffic
  • [IP] 190.61.121.35 – static/ZillaSlab-Bold.subset…woff – GET/traffic
  • [Domain] klepdrafooip.com – gzip binary delivery site
  • [Domain] primsenetwolk.com, onyxinnov.lol, trashast.wiki, kingoflake.com, bukifide.com – domains involved in C2/delivery chains
  • [URL] https://firebasestorage.googleapis.com/v0/b/our-audio-370812.appspot.com/o/wnitFn4RCG%2FSetup_Win_14-12-2022_18-36-29.zip?alt=media&token=3ef517f1-eb72-46bc-ac4b-3fb41f92d373 – ZIP payload delivery
  • [File hash] 19265aac471f7d72fcddb133e652e04c03a547727b6f98a80760dcbf43f95627 – Setup_Win_14-12-2022_18-36-29.zip
  • [File hash] 63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607 – Setup_Win_14-12-2022_18-36-29.msi
  • [File hash] 7e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e – IcedID dropped DLL
  • [File hash] 53639070024366d23c3de5ba1d074cbd1d8b9e78d46f75c32ef02fc20c279fc3 – IcedID loader/license.dat artifact
  • [File hash] 205fbc52fafd456388d3ef80ff00498c90295791a91811725fea94052dc4fe7a – IcedID persistent data
  • [File hash] bfa3eb36beeaa65334abe81cdd870e66b37da3e478d1615697160244fd087b48 – Donut/Sliver loader artifact
  • [File hash] 7486c3585d6aa7c2febd8b4f049a86c72772fda6bd1dc9756e2fb8c5da67bafa – Sliver/DonutLoader payload

Read more: https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344/