Threat Research

IcedID Malware Shifts Its Delivery Strategy

Securonix

IcedID has shifted from email-based delivery to drive-by infections delivered via Google Search Ads that target common enterprise applications. The TRU team explains how ads, cloaking, and a Cobalt Strike foothold are used to compromise endpoints and deliver IcedID, with practical recommendations for defenders. #IcedID #Kaseya #more_eggs #GoogleSearchAds #CobaltStrike #Firebase

Keypoints

  • IcedID infections shifted to drive-by delivery via Google Search Ads starting mid-December 2022.
  • Ads target enterprise software like Slack, Docker, TeamViewer, Microsoft Teams, Basecamp, and Adobe Reader.
  • Top-of-page ad bids and PPC economics help attackers reach victims, potentially aided by stolen payment data.
  • Cloaking and traffic redirection hide malicious pages (e.g., slackapp.tech to wvwslack.top) and impersonate legitimate downloads (e.g., Docker).
  • A site masquerading as Adobe Reader led to a IcedID infection with payload hosted on Google Firebase.
  • Reconnaissance and foothold deployment include living-off-the-land commands, PowerShell, and a Cobalt Strike beacon using HTTP to C2.
  • TRU provides general user/IT guidance and emphasizes patching, NGAV/EDR, and phishing/security awareness training to defend against such delivery shifts.

MITRE Techniques

  • [T1189] Drive-by Compromise – Google Search Ads delivered IcedID, as TRU notes: “IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.”
  • [T1036] Masquerade – Cloaking and traffic redirection hide malicious content, e.g., “slackapp[.]tech is the ad link, but the final content is hosted on wvwslack[.]top.”
  • [T1105] Ingress Tool Transfer – Payloads downloaded by users from the Internet, i.e., IcedID payloads downloaded via compromised download pages.
  • [T1059.001] PowerShell – Living-off-the-land reconnaissance and a PowerShell script attempt: “Within 30 minutes, IcedID attempted to execute a PowerShell script (ozye.txt) using fodhelper.exe to bypass UAC…”
  • [T1117] Regsvr32 – The beacon loader was configured to spawn and inject into a child PowerShell process using regsvr32.exe.
  • [T1071.001] Web Protocols – Cobalt Strike beacon communicated with a remote C2 over HTTP: “beacon … communicate with poasnm[.]com using HTTP…”

Indicators of Compromise

  • [Domain] IcedID Download Page – www-goto-com.top, www-onenote-us.top, and 16 more domains (IcedID Download Page)

Read more: https://www.esentire.com/blog/icedid-malware-shifts-its-delivery-strategy

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint