IcedID campaign uses a “benign” macro in an attempt to evade detection

Cyber criminals continue to modify the IcedID trojan attack chain to avoid detection and increase the pool of potential victims.

 IcedID operators have innovated their tactics to successfully defeat endpoint detection solutions. When tested, BluVector’s Machine Learning Engine (MLE) would have detected an IcedID trojan sample 47 months prior to its release.

What Is It?

The IcedID trojan was the subject of a Threat Report soon after it first surfaced in 2017. Originally, Iced ID’s primary purpose was to steal financial information, classifying it as a banking trojan. As it has evolved over time, this focus has widened to include distributing other malware as a dropper. IcedID continues to become more prolific, particularly since the success of international law enforcement’s efforts to disrupt the notorious Emotet botnet’s operations in January 2021. Throughout its life, IcedID’s authors have regularly innovated and evolved the evasion tactics they employ, to ensure the maximum number of potential victims are successfully infected.

Previous examples of this include a campaign perpetrated in May 2020, which used a somewhat predictable COVID-19 pandemic related lure, married with an attack chain that used steganographic techniques to hide malicious executable payloads inside what initially appear to be harmless Portable Network Graphics (PNG) format image files. Another campaign from April 2021 utilized malicious Microsoft Excel files containing Excel 4.0 macros, as described in another recent Threat Report relating to a Baz Loader campaign.

In this case, described in a recent report from researchers at Sentinel One, IcedID operators employed a technique that uses a Microsoft Word document containing a macro which itself contained no malicious code to evade detection, particularly by endpoint-based security tools. Many macros used in malicious documents contain suspicious commands in the code of the macro itself, or incorporate various obfuscation techniques, which again make the macro appear malicious or at the very least suspicious. Here the macro itself is very basic and uses content from the document itself, as would a legitimate macro. Sentinel One’s report doesn’t include the actual Word document; however, the BluVector Threat Team identified and reviewed a sample using the identical technique and IOC’s related to this campaign.


Word Macro
Word Macro

The malicious content is hidden behind an image file on the document itself which requests the user enable content so that the macro can execute. This content is actually a Microsoft HTML Application file (HTA). The macro also uses the Title value from the document’s properties to extract the destination filename for the HTA file. Once written out, the HTA file is executed. The HTA file contains JavaScript, and VBScript, to deobfuscate and execute JavaScripts to download the malicious IcedID DLL, save it with a JPG file extension, and execute it. The obfuscated JavaScripts are stored within the HTA file as base64 strings which are also reversed.

Word Content
Word Content

Word Content
Word Content

The IcedID DLL is used to collect and exfiltrate sensitive data from victim’s system to the IcedID command and control (C2) site. The various tactics described above are aimed at evading endpoint detection solutions, to maximize the number of potential victims. It demonstrates IcedID’s operators continue to evolve their tactics as part of their ongoing arms race with cyber defenders and detection solutions.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The usual attack vector for IcedID campaigns is the use of phishing emails with malicious Office document attachments, and this was also the case for the campaign described in this report.

When/How Did BluVector Detect It?

Sentinel One’s report included a list of nearly 500 hashes for the IcedID payloads associated with this campaign. Of these, 50 were regression tested with BluVector’s patented Machine Learning Engine (MLE), which detected all of them. These samples would have been detected for an average of 78.5 months prior to their release. Additionally, although their report didn’t include any samples of the actual malicious Word documents, the BluVector Threat Team identified a sample using an identical mechanism described in the report and very likely part of the same campaign. When tested, BluVector MLE would have detected this malicious Word sample for 47 months prior to its release.

All Threat Reports