Threat Research

Security Brief: TA571 Delivers IcedID Forked Loader | Proofpoint US

Securonix

Two October 2023 TA571 campaigns delivered a Forked IcedID loader via thread-hijacking emails that downloaded a password-protected ZIP. The operation used 404 TDS redirects and intermediary gates to filter targets and bypass analysis, ultimately loading IcedID onto victims’ machines. #TA571 #ForkedIcedID #Proofpoint #IcedID

Keypoints

  • TA571 conducted two large-scale campaigns in October 2023 (11 and 18) delivering Forked IcedID to thousands of users across industries.
  • Emails appeared as replies to existing threads (thread hijacking) and used 404 TDS URLs to serve a password-protected ZIP archive.
  • The ZIP included a VBScript file; double-click execution runs an embedded Forked IcedID loader via regsvr32, which then downloads the IcedID bot.
  • The Forked variant lacks banking functionality and is used to pivot toward payload delivery, with ransomware delivery as a likely objective.
  • TA571 commonly employs 404 TDS across campaigns to route traffic to malware families like AsyncRAT, NetSupport, and DarkGate, aided by gate-based filtering.
  • The technique includes intermediary gates to target specific victims and to bypass automated sandboxing or researcher activity.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Emails contained 404 TDS URLs linking to the download of a password-protected zip archive. β€œEmails in the campaigns purported to be replies to existing threads. This is known as thread hijacking.”
  • [T1059.005] VBScript – The ZIP file contained a VBS script and a benign text file. The VBS script, if double clicked by the user, ran an embedded IcedID Forked loader with regsvr32. β€œ
  • [T1117] Regsvr32 – The loader used regsvr32 to execute the embedded loader. β€œ
  • [T1105] Ingress Tool Transfer – The loader in turn downloaded the IcedID bot. β€œ
  • [T1497] Virtualization/Sandbox Evasion – Gate-based traffic filtering to bypass automated sandboxing or researcher activity. β€œ
  • [T1090] Proxy – 404 TDS acts as traffic distribution to route traffic and filter by IP/geography to determine payload delivery. β€œ

Indicators of Compromise

  • [SHA256] context – example1, example2, and other 3 items (payload hashes)
  • [File] HLSV1249_5361051.zip – Payload Example
  • [File] OFFER[2023.10.11_08-07].vbs – Payload Example
  • [File] ReadMe[2023.10.11_08-07].txt – Payload Example
  • [File] IcedID Forked Loader 0050-1.dll – Payload Example
  • [File] IcedID Useqacaw.dll – Payload Example
  • [URL] hxxps://gestionhqse[.]com/qd – 404 TDS Redirected to Gate #1
  • [URL] hxxps://gilaniultrasound[.]com/wfhfxtktx – Gate #1 redirected to Gates #2 (which then leads to download of a Zip)
  • [Domain] modalefastnow[.]com – IcedID Forked Loader C2
  • [Domain] roatancruiseship[.]com – 404 TDS URL Domain
  • [Domain] brandworks[.]com[.]au – 404 TDS URL Domain

Read more: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader