This diary is based on an infection I started on Monday 2021-12-13 at 21:45 UTC that ran until Tuesday 2021-12-14 at 17:17 UTC. The infection generated traffic for IcedID (Bokbot), DarkVNC, and Cobalt Strike. A pcap of the network traffic and the associated malware samples are available here.
"Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint. We've seen this campaign push BazarLoader malware and distribute Sliver, but recently it's been pushing IcedID (Bokbot). Most of the time, the Contact Forms campaign uses a "Stolen Images Evidence" theme, with emails stating a supposed violation of the Digital Millennium Copyright Act (DMCA). Below is an example seen on December 9th, 2021.
A website's contact form is easy method for cyber criminals to reach an organization. They can enter any name, email, and message text in these forms to deliver. With anonymous browsing methods like tor or VPN, criminals can hide their true location when filling out these forms.
In this case, the link is a googleapis URL that abuses Google services to distribute malware. I checked the link in a web browser, and it was a "Stolen Images Evidence" themed web page. The page automatically presented an ISO file named Stolen_Images_Evidence.iso.
ISO files have been used by cyber criminals for years, and the Contact Forms campaign started consistently delivering ISO files from these pages as early as November 30th, 2021. Prior to that, this campaign almost always sent zip archives.
Double-clicking an ISO file on a Windows host will mount the file as a drive, then it will open Windows Explorer to view its contents. In this example, the double-clicked ISO file appears at F: as a DVD drive, and it contains a Windows shortcut.
By default, Windows Explorer does not show hidden files, so we should reveal hidden files from the Explorer menu.
Examining the Windows shortcut in a hex editor, we find a Windows user account named lamar that may have been used when creating the shortcut.
The account name lamar has been consistent in each shortcut I've examined from these ISO files since they started appearing from the Contact Forms campaign on 2021-11-30.
Indicators of Compromise (IOCs)
The following are IOCs are from an infection run I started on Monday 2021-12-13 at 21:45 UTC that ran until Tuesday 2021-12-14 at 17:17 UTC.
URL for the "Stolen Images Evidence" page:
Domain called by above googleapis page:
Traffic generated after double clicking Windows shortcut in downloaded ISO file:
Caused by the .js file:
Caused by the DLL (an installer for IcedID):
IcedID (Bokbot) post-infection traffic:
DarkVNC activity starting on 2021-12-13 at 23:33 UTC:
Cobalt Strike activity starting on 2021-12-14 at 06:30 UTC and ending at 11:55 UTC:
Cobalt Strike activity starting on 2021-12-14 at 15:33 UTC and continued through the end of the pcap at 17:17 UTC:
This and similar IcedID infections have led to Cobalt Strike, which can lead to other malicious activity like ransomware as reported in this real-world example.
A pcap of the network traffic and the associated malware from this infection are available here.
Dec 16th 2021
|Thread locked Subscribe||
Dec 16th 2021
6 months ago