IcedID Banking Trojan teams up with Rovnix for distribution

In November 2017 security researchers reported a new banking Trojan known as “IcedID”. At the time of discovery IcedID was being distributed by Emotet. In late February and throughout March 2018 Cisco noticed an increase in IcedID infections being detected throughout the AMP ecosystem. Like in November 2017, some of the infections could be traced to Emotet, but this time, many detections could instead be traced to emails with attached malicious Microsoft Word documents containing macros. When the malicious documents are opened and the macros are enabled, Rovnix would be downloaded and executed, which subsequently downloads IcedID. In addition to Rovnix, many of the samples downloaded a second payload, a Bytecoin miner (Bytecoin is a crypto currency similar to Bitcoin).

Rovnix is financially motivated malware that is known to download and install additional modules, or other malware families. This Rovnix/IcedID attack was interesting for two reasons:

1. The targeted nature of the emails that use spear-phishing techniques to entice victims into opening the malicious Microsoft Word documents

2. The minimalist code injection technique used by IcedID that improves on existing code injection techniques, and is harder to detect

Figure 1: Malicious document that installs Rovnix and IcedID banker attached to spear-phishing emails

Use of spear-phishing emails

At first, this attack appeared to be similar to the countless malicious Microsoft Word documents with macros that Cisco blocks each day. In this case, when the documents are opened users are enticed to enable macros in order to view the content. If the user enables macros within the document, an auto-close macro is triggered when the user closes the document that executes mshta.exe (a built-in Windows component) to download and execute a remote script. The remote script launches two instances of PowerShell to download and execute the Rovnix/IcedID and Bytecoin miner payloads.

This attack became more interesting when the targeted nature of the emails and the file-names of email attachments was investigated.

Widely distributed malware families that spread over email (like Rovnix) generally send out their malicious messages in high volume. Most end-user security training programs center around helping users identify these kinds of emails and to be suspicious of any unexpected emails. An attacker sending emails in large volumes has typically chosen email content that applies to a wide range of different recipients, but will not immediately be viewed as suspicious. For example, attackers have recently been using email content like job applications with attached resumes, shipment delivery notifications with attached tracking information, or notices for payment with attached invoices. In contrast, spear-phishing attacks use emails that are much more targeted at the recipient, and contain information familiar to the recipient. Previously, spear-phishing was primarily used by Advanced Persistent Threat (APT) actors who had specific targets.

Rovnix/IcedID is a clear example of the evolution of spear-phishing from exclusive use by APT threat actors, to use by malware families with wide distribution. For example, one of the Rovnix distribution emails had the following features:

◈ The email was sent to an employee of a city in the state of Arkansas

◈ The email’s subject referenced a meeting relevant to city business

◈ The email’s body referenced and discussed the meeting, as well as containing names of employees that work at the city

◈ The name of the document attached to the email included the name of a civil engineering company local to Arkansas

A similar example to the above was found in a malicious email received by an electrical company in Raleigh, North Carolina. The file-name of the attached document included the name of an engineering company also local to North Carolina.

Not all examples were as highly targeted to a specific business, but rather targeted users in an similar industry. For example, users with email addresses related to the automotive industry received emails with an attachment file-name that referenced the name of a car dealership in Dallas, Texas.

Using spear-phishing techniques to create emails containing references to people or businesses recipients are familiar with are likely to result in more users opening the attachments and enabling the macros within. Since spear-phishing emails require the attacker to create emails for each target, there is a higher cost to the attacker to launch this kind of attack, but will pay off if the attacker invests the time necessary.

Minimalist code injection

Once launched, IcedID takes advantage of an interesting technique to inject malicious code into svchost.exe. The technique does not require starting the target process in a suspended state and is achieved by only using the following functions:

◈ kernel32!CreateProcessA

◈ ntdll!ZwAllocateVirtualMemory

◈ ntdll!ZwProtectVirtualMemory

◈ ntdll!ZwWriteVirtualMemory

IcedID’s code injection into svchost.exe works as follows:

1. In the memory space of the IcedID process the function ntdll!ZwCreateUserProcess is hooked

2. The function kernel32!CreateProcessA is called to launch svchost.exe and the CREATE_SUSPENDED flag is not set

3. The hook onntdll!ZwCreateUserProcess is hit as a result of calling kernel32!CreateProcessA, the hook is then removed and the actual function call to ntdll!ZwCreateUserProcess is made

At this point the malicious process is still in the hook, the svchost.exe process has been loaded into memory by the operating system, but the main thread of svchost.exe has not yet started

4. The call to ntdll!ZwCreateUserProcess returns the process handle for svchost.exe. Using the process handle, the functions ntdll!NtAllocateVirtualMemory and ntdll!ZwWriteVirtualMemory can be used to write malicious code to the svchost.exe memory space

5. In the svchost.exe memory space the call to ntdll!RtlExitUserProcess is hooked to jump to the malicious code already written

6. The malicious function returns, which continues the code initiated by the call tokernel32!CreateProcessA and the main thread of svchost.exe will be scheduled to run by the operating system

7. The malicious process ends

Malware authors are constantly looking for more surreptitious ways to inject code into benign processes. Process doppelganging and atom bombing are examples of completely new classes of code injection techniques malware authors have recently found and leveraged. The minimalist process injection technique used by IcedID is an evolution of existing process injection techniques, rather than an entirely new class of technique.

Minimalist code injection does offer the following improvements over known techniques:

◈ Requires only 4 Windows API calls to achieve code injection

◈ Does not require the created process to be created in a suspended state

◈ Does not require new threads to be created in the target process

Using less functions and less suspicious process creation flags makes this minimalist code injection technique more difficult for security solutions to detect.

Detection

Cisco AMP for Endpoints’ new exploit prevention engine offers protection against both Rovnix and IcedID. While neither Rovnix or IcedID contain actual exploits, both are detected and blocked by the AMP exploit prevention engine because of suspicious access to memory each performs. In the case of Rovnix, memory manipulation done by its unpacking routine is detected. In the case of IcedID, when it performs the minimalist memory injection technique it is detected when it attempts to place the hook on the ntdll!ZwCreateUserProcess function.