Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-07-29
  • Author: Teoderick Contreras, Splunk
  • ID: 1d2cc747-63d7-49a9-abb8-93aa36305603

Narrative

IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains “license.dat” which is the actual core icedid bot.

Detections

Name Technique Type
Account Discovery With Net App Domain Account, Account Discovery TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Create Remote Thread In Shell Application Process Injection TTP
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Drop IcedID License dat User Execution, Malicious File Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism TTP
IcedID Exfiltrated Archived File Creation Archive via Utility, Archive Collected Data Hunting
Mshta spawning Rundll32 OR Regsvr32 Process Signed Binary Proxy Execution, Mshta TTP
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Process Creating Exe Dll Files Signed Binary Proxy Execution, Rundll32 TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Sqlite Module In Temp Folder Data from Local System TTP
Suspicious IcedID Regsvr32 Cmdline Signed Binary Proxy Execution, Regsvr32 TTP
Suspicious IcedID Rundll32 Cmdline Signed Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 PluginInit Signed Binary Proxy Execution, Rundll32 TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Reference

source | version: 1