2022-05-10-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt

2022-05-10 (TUESDAY) - CONTACT FORMS CAMPAIGN PUSHES ICEDID (BOKBOT) WITH COBALT STRIKE

REFERENCE:

- original post unavailable
- Repost at: https://twitter.com/cpardue09/status/1524481140622610432

NOTES:

- In recent weeks, the Contact Forms campaign has switched between pushing IcedID or pushing Bumblebee malware.
- Threat actor behind the Contact Forms campaign is identified by Proofpoint as TA578.
- More info at: https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

INFECTION CHAIN:

- Message generated by web site's contact form page --> link --> .iso --> IcedID --> Cobalt Strike

EXAMPLES OF URLS FOR "STOLEN IMAGES EVIDENCE" PAGE:

- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/f9TOed0dsfi8I.html?d=013424360141997568
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/f9TOed0dsfi8I.html?d=079839232761821960
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/f9TOed0dsfi8I.html?f=683781869433531884
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fcVBtFOTc535o.html?d=767294819687278278
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file33vCIi4VowMA.html?l=233013603241570417
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file74UBbKNqO4XJ.html?h=322608764470150504
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file74UBbKNqO4XJ.html?l=170461110458299507
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file9FElTNKbCSuK.html?d=032781002493078383
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filehcA21fXJ3Pqq.html?d=747252265096336534
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filehcA21fXJ3Pqq.html?l=657889339028053050
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filer5SC4oHvKVpU.html?d=272216762893034065
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filer5SC4oHvKVpU.html?f=872038693564426236
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filer5SC4oHvKVpU.html?l=793720566165760989
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fileWrCADKEdgj2D.html?f=975205599657957920
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fileWrCADKEdgj2D.html?l=315799856865048946
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filex2o3u5r2JSLQ.html?d=41262147567753914
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filexGOO60PY9LvE.html?f=534830888378933219
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fkdOib7kTYN6s.html?h=686086524291489104
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fZ5cijKJ1mC0i.html?f=602448158755477572
- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fZ5cijKJ1mC0i.html?f=690200262275133400

URL CALLED BY "STOLEN IMAGES EVIDENCE" PAGE, RETURNED SCRIPT WITH BASE64 TEXT TO CREAT ISO FILE:

- hxxps://olodaris[.]com/images/logo.jpg

EXAMPLE OF DOWNLOADED ISO FILE AND ITS CONTENTS:

- SHA256 hash: cc79f27ac41f863b9c9d8bf3dcc2738faa9d9691a1cf98c3f58351b20868cb05
- File size: 2,097,152 bytes
- File name: StolenImages_Evidence.iso
- File description: ISO file downloaded from "Stolen Images Evidence" page

- SHA256 hash: f7861ee8b3917e3746d44a769453334c9bf1b780213634ed9abd42f7873b0593
- File size: 1,614 bytes
- File name: documents.lnk
- File description: Windows shortcut contained in the above .iso file
- %windir%\system32\rundll32.exe olasius.dll,PluginInit

- SHA256 hash: db91742b64c866df2fc7445a4879ec5fc256319e234b1ac5a25589455b2d9e32
- File size: 590,336 bytes
- File name: olasius.dll
- File description: 64-bit DLL installer for IcedID
- Run method: rundll32.exe [filename],PluginInit

GZIP FILE RETRIEVED BY ICEDID INSTALLER TO CREATE LICENSE.DAT AND PERSISTENT ICEDID DLL:

- SHA256 hash: 25c0746b4ac43ae65d5107c35659bf8f1d904fb3658d7c375ef1aa164a5cd200
- File size: 917,404 bytes
- File location: hxxp://yolneanz[.]com/
- File type: gzip compressed data, was "Grass.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 4811912

LICENSE.DAT USED TO RUN PERSISTENT ICEDID DLL:

- SHA256 hash: dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed
- File size: 342,186 bytes
- File location: C:\Users\[username]\AppData\Roaming\HopeDescribe\license.dat
- File type: data binary
- Note: Directory named "HopeDescribe" is unique to this infection

PERSISTENT ICEDID DLL:

- SHA256 hash: dc08348cc6976740042ac2ee5942a48e56d1f2cd038f5907bad179a5c93d1b8a
- File size: 574,464 bytes
- File location: C:\Users\[username]\AppData\Roaming\[username]\[username]\wafuleff4.dll
- File description: 64-bit DLL made persistent for IcedID infection
- Run method: rundll32.exe [filename],#1 --ig="HopeDescribe\license.dat"

TRAFFIC FROM AN INFECTED WINDOWS HOST:

TRAFFIC FOR ISO FILE:

- port 443 - hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filehcA21fXJ3Pqq.html?l=657889339028053050
- 46.173.215[.]54 port 443 - hxxps://olodaris[.]com/images/logo.jpg

TRAFFIC FOR GZIP BINARY USED TO CREATE LICENSE.DAT AND PERSISTENT ICEDID DLL:

- 51.89.190[.]220 port 80 - yolneanz[.]com - GET /

ICEDID C2 TRAFFIC:

- 85.239.61[.]45 port 443 - ganjicow[.]com - HTTPS traffic
- 135.148.217[.]93 port 443 - callbackhubs[.]com - HTTPS traffic
- 85.239.61[.]45 port 443 - meanforthen[.]com - HTTPS traffic
- 135.148.217[.]93 port 443 - eldingdayl[.]com - HTTPS traffic

COBALT STRIKE TRAFFIC:

- 138.124.183[.]147 port 80 - policyupdating[.]com - GET /microsoft
- 138.124.183[.]147 port 80 - policyupdating[.]com - GET /styles.css?hour=true
- 138.124.183[.]147 port 80 - policyupdating[.]com - POST /ro