In this blog, we'll analyze how this latest IcedID (Bokbot) mal-spam campaign executed its attack using sample data shared by malware-traffic-analysis.net (specifically this capture). We'll also explore the background behind IcedID and Cobalt Strike and show you how to conduct a simple analysis of the PCAP.
You can use this link to load the pcap into your own Gigasheet account and follow along. (Don't have an account? Sign up free here.)
To understand how this mal-spam campaign successfully spread IcedID, which led to CobaltStrike and DarkVNC activity, we first need to learn what IcedID is and what it's used for. Although IcedID was discovered in 2017, it did not gain popularity until the second half of 2020. Cisecurity describes IcedID (BokBot), as a modular banking trojan skillful at stealing user financial information and acting as a dropper for other malware. It steals financial information, including login credentials for online banking sessions, through a man-in-the-browser attack. Once the initial attack is successful, it uses the stolen data to take over banking accounts and automate fraudulent transactions. In addition to its malicious spam campaigns,
IcedID is primarily dropped as a secondary payload from other malware, particularly Emotet. IcedID employs various injection techniques to avoid antivirus and other malware detection systems, including injecting itself into the operating system (OS) memory and regular processes.
There have been numerous indicators of compromise (IOCs) over the past years. Below is a graph of the IcedID entries in the Abuse.ch ThreatFox database from November 9, 2021-Jan 16, 2022. You can check out the live stats to view more; click here.
IcedID C2 Statistics by ThreatFox
Cobalt Strike is a hugely popular set of threat emulation tools that work with the Metasploit Framework. Cobalt Strike and other penetration testing tools were originally designed to train network defenders on vulnerabilities and potential avenues of infection by cybercriminals. These tools are designed to simulate intrusions by motivated actors, and they have proven to be extremely effective in this regard, so much so that malicious actors have incorporated them into their tooling.
Users were sent an email with a link from a message text instructing them to download an Excel add-in file. Once the victims added the file, the installer DLL traffic for IcedID was also installed; IcedID awaits the user's launch of a web browser, such as Firefox, Google Chrome, or Internet Explorer. IcedID detects the browser type and injects shellcode into the application when it is launched—allowing them to attack web traffic with Iced ID malware and IcedId C2 traffic, as well as with CobaltStrike.
Now that we have some foundational knowledge of these attack vectors we can conduct an informed analysis. Typically you can use tools like Wireshark or T-Shark to analyze the pcap, but if you've got a huge multi-gigabyte capture, and you're looking for a quick and easy way to triage, Gigasheet can help.
Gigasheet Automatically Parses PCAP Files
By clicking the Functions (Fx) -> Convert Unix time option, you can create a new column in UTC (You can specify a time zone preferable to you). Now we have the formatted timestamp field and other interesting fields that we need for our analysis.
When a computer has been infected with CobaltStrike it usually sends an HTTP request on port 80 or port 443 exfiltrating data from that host. It's known that IP addresses end with /45. We selected the Filter Icon, then "IP. src" for the column, "IP contains," and /45 as the value.
As you can see all the Cobalt Strike traffic there is now 4373 of 27,681 rows after filtering ip.src-> IP ends with-> /45:
To filter some more we can view more of this traffic using "GET" as the value for more C2 communication. With this filter, we were able to find malicious Excel add-in plugins and the time they were used.
Here I highlighted the returned Xll file and Installer DLL traffic that was visible suspicious:
To even go further with your data you can use our Enrichments feature. It allows you to add context and threat intelligence to IP addresses and file hashes. The Enrichments dialog is context-sensitive, which means that the enrichment options displayed are determined by the data type of the selected column. GEO IP, for example, only works with IP address data, so it won't be available if a string column is chosen for enrichment.
With enrichments you can dig deeper with your data, Gigasheet includes one-click enrichment from top OSINT threat intelligence feeds from the following sources:
DataPlane.orgFireHOLGreen SnowIPsum (Levels 5+)mirai.security.givesProofpoint Emerging ThreatsTOR Exit Nodes
Click the column menu and select Enrich. Note: the column must contain IP addresses only.
Select OSINT Feeds from the list of enrichments and click Enrich Data.
A response will be displayed in new columns to the right of the IP address column selected in step 1. The first column will show the number of hits in the last 60 days, and the second will show a list of feeds that Gigasheet found a match for.
Very large data sets may take several seconds to process. While the enrichment is running, you can continue working in Gigasheet.
Gigasheet makes it easy for Incident Responders and Threat Hunters to analyze huge CSVs, analyze PCAPs, EVTX files and convert JSON to CSV. Large files aren't easy to open in tools like Excel, not only because of the large volumes but also because of the XML format. Normally, analyzing these files, you would have to use many command-line utilities, Python libraries, or other scripts, each with its own set of dependencies, syntax, and operating system requirements. At Gigasheet, we strive to make things easier for security investigators by providing quick, functional, and simple tools to use. Sign up at Gigasheet.com today!