All Posts
5
min read

Threat updates – A new IcedID GZipLoader variant

Published on
February 25, 2022
Copy link
Share on LinkedIn
Share on X/Twitter
Share on Facebook

Summary

IcedId is a modular banking Trojan discovered in 2017. It is one of the most prevalent malware families in recent years, targeting financial information and acting as a dropper for other malware families, such as Vatet, Egregor, REvil.

GZipLoader is the loader component of the IcedID infection chain. Its purpose is to download and execute the final encrypted payload from the control panel. The encrypted payload mimics a GZIP file, which is why it is called GZipLoader.

While monitoring our incoming malware feeds, we have detected a new version of the IcedID GzipLoader component which is distributed since the beginning of February.  This version introduces new anti-analysis techniques, whereas it is functionally equivalent to previous versions, except for the removal of the SSL-pinning feature. The anti-analysis techniques that have been introduced are the dynamic resolution of Windows API functions and string encryption.

Discovery and timeline

The new loader version came to our attention while monitoring our incoming malware feeds. Threatray classifies malware families using search algorithms that are based on code reuse analysis. We have seen (see image below) that the confidence of our classification algorithms for IcedID has dropped from high confidence (“red”) to medium confidence (“orange”). This was the trigger for further investigations.

Looking for samples contacting a known IcedID URL.

IcedID detection based on code reuse.

Looking for instance at the analysis of the sample e1e9e84e84a24abaa8658d871515d32e21ed51f1c54812315155f4c88bbc8722eecbfbd we see that the virtual memory region 0x4b0000 of the regsvr32 process contains 9 functions that are related to IcedID GZipLoader component.

Retrohunting for similar GZipLoader samples.

Using our retrohunting capabilities, we have searched through our platform for samples that contain a similar loader (see image below).

The earliest sample in our feeds with this new loader is from February 9th, 2022.

Detailed analysis

The new version of the loader resolves imports dynamically, whereas the old version does not:

The second functionality that has been added to the new loader is string encryption:

Strings are hidden using a technique commonly known as stacked strings, which is combined with simple XOR encryption.

The following code is in charge of decrypting the strings using XOR operations:

A Python version of the decryption function for POST requests is as follows:

The same string decryption method is used throughout the binary.

The string encryption code is in-lined (as opposed to take place in a dedicated function). This new code changes the control flow graph of all functions which are referencing strings. This could break some detections rules based on patterns recognition such as YARA rules. We thus recommend to double-check your detections rules for IcedID.

Retired features

We have also realized that in this new version, the SSL-pinning feature has been removed. For more details about this feature, we highly recommend reading the report from Group-IB on the old version (https://blog.group-ib.com/icedid). To summarize, IcedID sets a callback when it sends data to a legit server (mostly to aws.amazon.com) and it verifies the checksum of the public key from the server’s certificate.

As you can see in the image below, in the old variant when the set_bot_information() function is called, the result of SSL_pinning_feature() is passed as argument. However, in this new variant (since the feature has been removed) the value passed to set_bot_information() is hardcoded to 1.

Searching in our telemetry for IcedID samples , we see that the most prevalent URL among all IcedID samples was aws.amazon.com, due to the SLL pinning feature.

However, if we limit the search scope to the last 2 weeks, we can confirm that the aws.amazon.com URL is no longer used.

Another less important change that occurs in this version is that the function responsible of decrypting the command and control has disappeared. In this new version the code of this function is in-lined in the main function.

IOCs

02e58a9e73e314497356a4d420f83584ccb85d49edce98a36f9e738b85ca637f03a41a586c17dd1bd79aa20dfa9a0b1e11d8b0acc21d687bfc3953baf8907a8603c12545f5dd6cb2a36fcc6da5184cda9259d71f2d12f537cb916a702965433005e15f807b0e89e6af4c42a38ca8100ce0064f63530abad455334b31a2a69c8805e4a3ef8a29fd09f10e500acf62d628b77b2719b5664a011e66811af6509a690990cb15328b1784aa0338e5f21eaf771b2ec1a6b0ac16d30d94c30e3374131209edd4cda6f4dc5bb313570bf5c206b3691f4453d15bf742460cec8c0d4aff7d0d8041601a71723fd9a41e1350cb8baabd9a690a26f12723bccc8a91b461245a0f5fbad82dae02e2a48775762f8ff0eb067eb4f81ce637607ac893d4e0c613b310a841e167daefdba33ce9fd8e5f3b0c2a30c1e3c37f034c0bffdbaf97a5db5f134774292f7745f4b91b833735e03c6b8e21197606511b5b1bde965e9cb3f51515f8da5acf0b2b3e7334ef9d15e290758fcc918930ca8be801acc7682868b91b18cc18377e2fef33c4ac8f700a15889def8d7965149033c9cf80d7499e96694218f8c27d91db287a18034e39a2df2e4e3ec9755d4067809b37580859c6a8acd61c5467229ec9eadb6c9cdd09d4f69cdbb31906605af609e44505383660ba2f311c86607f8145c0c20c4b6345223a8ba0a8f7c31f0e6f952d5baa80ff776b676d1d371ef854dac871c335d8ad1ba2f3d7916fc449e6383eec9196c117930c4d981fa43e3a239c517b2af4fbf9cd176b7ef8282d82f6f555917fefc64e4c9cde30204bcb9f2278761c541c5be310382f02e21a7b83d6944fb619abec110063dc66205e180196d948fe19ba8ca04d244f505b667af92e8e85ee05caf61c39e3851023bd947bcd5946b8b7c985562b6c866b3f573f26929726ec2b24a793d924563924a6327b7913db912a1c22fdacc0c7148a03c1aa04ee8e67c5c2f63f894d9fef255fedca93d25a470f2b59ac374249bf3f8f5325815a7e82a5c2a63cc08f76d42c4ebb47841760e94ae3f6f26e9ffe4cc7e933d618b0721e6dce5da6f45951222d48d620321ed65bca7f16330d30d8658d8046cedc89c9135c2dfee88316267f2d7c3f733948bd01e428e517b84eacd96e816ad3d181db27c13246a22dcc03b42dc18df6aa58c8646823c532debd0522e0cda5bb113b02caebadb4489ba48ce42ebeebe48a1bc8541fa769187fef1214b5855e8979cd902b21b792c57cbd808b31597d65343eb5ca523fa81dbe4331d577d5d819f60f3aec071b2fb7eb9d01e431a5ee81cc3206f30e6bc62e84ec89e9aa35e44b52baacc8955aa68baa0a093e3215a0502c123bd08d9374e2508d79adabcb36e3a3f5d7cd87a97d616ff9c60133270eab7adb83b72240a9546d6d310cbc692d4ef102b7136042165b1d95a91a3388b2781e84a2fdb1d37e5ee1371af605fee7b70e16bd7b57ed8025db2447b4358679a5aa1ce479cc20c624d3fefe26170b3ad052ed9aa8111bf3047c755ee2368be300f148a956b017cedac10721e64f8030499ea3411db6519a8eeb68d43c374c7619257b545ac83cf1870f50f38066c5ded225c780af28cb8bd8c8c8007039b49f2c3d6cfe9c1064086116abe323d1eb59ab852099dbf9efaca81f662c5b3adc2160c304c344f6c1efcba1b759af3cc87b85376535b088adb15562aa02543c4b375de8b20a9036c3ac9139855f312bbcbe8b3e869b36ebfbf2533422a06e3d1ec1f66ba4a30aac55590ff3d120ae22e345685caa916f9d1c74592c98f0c33e3c5d318ed1a4dd83cf0dc9279d82b5dffa7181f2b650d24c61b1a008d6d0f23ee0dd7a2c2d122790e560a535c4a3cc8a11da78df15cd5d4da461797d1e48bf407baf0c60024ff01e4d2128264064eea5099c33efa6688362ff38e0ee97fbe240aa95077ab694181272d48457920b6ca587c9b0752d8752940840e6200397934528ee62b7c2b479c32b2b401dc875bca1d7125f2206b083d7c3595fd827f8394aaf857e59a25f98e133aa59bac419b22a60ecc4dcade883bf217ce76c25bf844c40fa74b961f90a67d2780412891c49f0a2919b3e90a216daa5f5b12187e2194d0aaf50b254b52e403a2d613d1aa8ab4b1406f7658db03710cc75752e9c6e014f6cea3ce429ccdccee1a4e014cebcfa971e8a2ca8332a68239a7940d722481850165bf93643c3ee448eb480217442f19567918b7ea98722bb404e7fea558a2b515ac55d2575077dfc2f50273fd5e52652d17ab6fcd7bb7b23ce2dfbb368541453ea999f28add82bb8d70aa9e030893521bf57a08a9564ee7380562142734fd554d334b0b1a89677c22dc5490780f3c3724f9b4d6113eca073a241c8921b597755a33e1bb55138d85d229f434fcea0b0b147a98e4beb3ce1860b00e8137467d65753cb2ece6bc64d950641a48a3c38335c8dd738e7a30f50ae8fad4e09d5591459a3f3eabe6eecff8b254cea75dcdd898d7bd6886da929f85ffcddaa287f13e45a07bc16a6c1039b8f45bee3738abae9b22a109efdfc4dc64366a4c1f7367a2d5bb3dba425e01da86ccda2e90f343a52690fb687e18ada32624179557498228e5ce84f9baa96f6b2e854221f8ca9eb3e1b4c00ebec90935b0cbd2640140974c05d17794aeae5d5352a7579454419909d2339c51d57b9e4a4e1b77e034d291f225d83037ac01f286e920f6a16bf8e158945fda752d6b841031af85e8e778dd5b35e9b1bf9407a2baa402451ae8d9a7ffb1fa3ea990bd5d0674756982bf9393b655fd948425254ca242b37cdbd9d6d4782683fe31ba08a65053e9b273ffea343c360626638547c49bb876c132d0aae3d728c47952ad0da46da64a785e3862d05cb65519e29f8bd88a50558126c0c2a38c7fdf3809e76624a2efc9d8e2d48aa093766a90194dd80475dc2c18ce5884bc94979747aa8cd5f24a4b971d8efaaf5942666e3893430e6f89b5f0d7d14f113fe60bbe2e3da15b42ec8295fc52579f7a453686e36a4e3f6dcb113f0b6b54bdeb7574a7e47bb4b6a8341629d8251e022e19769b59c6263ec89edf585edca4e4c1af204d8b92603cfa6e7c8a02d2361aba1476b6195fa5809045ed7d27cc851832bb6272941549b69c22d09228531a0ded2db6c1fdedbd252fec4e35422d639a2bc2256701d4e2569122e3d0940c898adfcb46c46ea476eea3b54d7149947cb99424ddfbdc869b527f6a69815c5f9d42b43c36e46958960f575bfdc14a3da83de4249ab3f23f834aec3d2b5ca8891f9c91bc86eacebaa6b9457c95cde935110876fde8bf1e6f7f43a9276fb9a8a7e09603ba2715c11a153cbed9ace1618a36142bb7ae2cdcd7bcae3a69161f796ace5d857a07215735224ae5437685e0465c36eb8a3a87a3d86e4be0763cfdc06820a62a184721aa0a8007454b99c90306180c89ef7fc61d85f53e17fa8e3197508064d8d9f724c4d872ad8a538edfbc55520d27e4639474cdaede5e6f67ccbe5e3477a8912731c19a06f31328d7336bb50c00851cfc7ecad87159f3277a9729bec4f9d4a5373c3395e7ad9787595df98570420d3cef4585d02489b1d30f22685e9c1760ab276c1e9298873358e28f93977eb97350801937187519ea63fbbb8f8dfe1ba52fc7c614ec8c5341386f2c98dbeb0aeecdff35a9438c9c80b5942e81b22fc0641b48037a59ce1465fa74b2f440eb8eda65a55cab317afab76af725ffa6d6d142ad48236ead722c2bc40ad14cf3ac8ecd6d647c415cbaed4b48cbfc4f8ffbe19d76182a7fca34437668d26a6b1f815986ca4068d63fa3264e8d8f6ab623fb2ffd13c8368b23494628423416a81f57eae7349edf38128caf92c873143b75e8bad1eb3841c94ef717b5fd39ee1bfe6cd80700080174b598376a6a393d0d36cac777f1384629a575a4f2eafd30e86d07663cabd247572c09d7c6cc251bb5b5a641875a6854dd9d16fd46bec4a6b03a51752275df79906fea15c5cd8475da1814f0bc37e85f8aaa9aecaa7ddbb2dd10e3fa620108d26573af0aaed888ad51aec0763f8e9861cad69153a30f93456e51801d933385f0e67b09f0aa55977990fd38102276c87e2d2769c11ca86553d1a83483b33071cee53a2097530677bf0c56c74d9e19f87f4e3af806ac0ec376b1ab0235a15b203d19489b27049144f2697da6df29a7d88234568ba22d7676e0f57e2b910e4a84360849aa660ffada104186a41dabe7188c376b943a1855b006605b1ebf826eceb5334ccea81bf18a53f4fc70c1645fd8d4462edf5b928a5817dc59d583ac925200b3621d060a66cc237ad972bdde8ce8ec2058763207a52bf912bbf9108ad5c134f7991d54267a144d66c10adbfa261919c627af8b1d832aee1ad25de3d1d99c0a04221bb5bfc8a7c8f095b1346bfc692243763637516274579f2b9b5f37661b9805ef6be95b56e5e91b619f9b2ba8c931c900905566bab01a27a9b7722a3dcc0cc5fa9e0ed513486ef6e964ba57a7e932050cb69306213a3d0c1893a6df1fc23ac41a7890678d24021f3f2297a885595e0888ca69ae02606b68b6fc684bcdd6c9e0e74a53394bb3f80560507b599c8964bb12c1e9687ab7408dc02e953c27a419187c4310ade1b3a0b35431519f1429717fe080058d75aee1cb2406204052e5ac5eb0b30bc988a34e7c817cc24bb65984531c88100ca2ab139fc11d6988d596e9e1c511b06335baa9a0c40abdeeb53994d028748ec7e65004548526394de9df0e5ce0a0c22232d9fdf844b851946169a3d9a2da5d238693606365153688157ff58e0dea8d509ddfe36074096d715c99cde570788d1430d0545b727963a85c0da7f492e838e43b3cf8b6a1fc984d7989ea309f425c3cd53ce0302eb33543d5f9a0c7956f3ed58845ded88deca2084ca9eea1a5a74e2c7d41871222410d9d337dc76cd973dd3fb0dcde89514ff83c219a0b8e020ff671176da99897f3cfa35be9206e46e3d7215603aa09b091ef4db57a3d512f6451ce214e6207edd59d37ad7dfead333094a04ddab9c181472f25742a3e0a9973a4abeed587070b3c052a1ad1809b0db7de2754339dea4616d87d2a9a42e2b5a0b758b189d51dcb2b5093d4b9354e88209255022cd1119afe559aec8a45c573fce0d03856894530561c1370615fa4daddd13da76147bc7ce447c3c3da5e2e629255556f9324623e86f42a87ff429cd4497269b2abd214dd39702bc33aa7d12fe99100805b6970a01b5abf8e450d719245e0dc5da370bd1e624a7120fab8ba737e560a257fccb3dbba1fc341d0002d877436720846270be0fc0f2b68cabe63be5854813b62f29876a2480cb2ed1eae4d9dcd51596390b62c2befc0988acede4e871ff7ebeda48cd568f8761e7129ed6f596cccbbdce7634e58ecbd7e8ae3038147f454d8099fe12c5bbdf224f98574fa11f65f932380e039bb16ec1dbaf35fd57fa3d82b26f3e99136089f010be9ae75259a50c3cb8b354a18cd55d17b0788325664cd57b0b83cfe756db012120c91506643c26f0e3b2982fe7a3ebadb11e5dc72111b371e57b8afee104020194517e53263a9f2c2d9bdc8f9bc1dbfab1fa4853125c6fbfc38553076e31a3dea62ab066f8cc1f609803a8b26e931a8ab274567f9238e94357355cfd4e95acc0f9290c0c88c43438e985c299308adebdb38c9a3fd842f23694bddd6c3d31a99edeb09a8e46f38415962fbfd364694b39b4aff3da5e0e59bfe2f1df0f966860b4f0e31ba202b6d8e1dbd7eaae4327ae7eb6772a7ec2ea28d71f5ee696e6d671d47a4ea9ad1b9dee191b476a905d7f54e5b7b2cfde39268af729c507ff82fd9b20e5dc2abf0d0506c129053d7cc262dfb3b7f346ba20c63c83ba8a593e2a64e957cfc1e4104c5ba62630ecab330ae14ed2b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982b99b856b0401ce5cc085e2c5b766662ae77f9b8e37a4b191b8280fef1e6c27f3bc6a441a3036c1310886b671943e487d47f2c7d1b4bd125d7b0cf0f3090b8281bf285da82b9ddcb61db82e40163832eaa0f77657a5fccabb46e6a2b89b06f854bfde769562ba97b4e1fde1eb26eb5c670a13154f8a5b6b479b710ca239aff559c164fc6d2c20cb05925a4d50e56af6ce3d2c4c9fe95d8cac52e8f8728e82395ac1b3b057acfd3ff79d59523d30affc3d4269f7856e8bf45c7289a5e095d100a1c2561a8ce8729d8d6f8066946b215f07c83bdb542a3b55009d69a57220e3339fc2969a902dc2c2eab063dfdf50c7bcd56f9ce989045dbe41e0d9cd546eae6b30c3fbbb5fc9699a1e48dcc8e9ff6be63a35936f9f3f203925978cb822e0435a63c5bdcc6a758d9810226e1012a8aa8979fa7fc6205e162d136ae5399065a9a075c662f5b2ddfb067058c5e4bfc726fb86f3543c6ae4fe160b26915498dea6f9aac6765b0c795af907637ebc5e0703a285b44041e96d43e81922f8601a2346cafac8d02f7bf46941dbd67761d30c12585033bca9ca34bf4bd02d8d3fe13b313fecc9ca29ceb1a3a2e5e10b8eba5723222b119c9e51dc7ab7b195d16b505a29d896cb2c71f81a2592f38bb78ee7d6c62d399575de75f51ecdaad6b33003615aaba6cb3cdb8eb96570da4c544533189a73dcde533e23380ca8a51d0133eab9f0bc16ccf86807e7b572efee1d4c631744fcee4a44699a236927e46a5011188e9cb10ccecae728ae8fc29506d18ee4ba8f7ef68ed45d1fbff5273ea3e6c1f636173c1acef57bfcad0a3fb5a756d0dcf329f3135ec52d1eac2ec33d8ec94d81b5e92877cf004c6d421b104f80c2076b2ae28f27c065da7e61317364c0daef85d4ac7136cf961cb072619763a6f2594495b7941d11c634147324b267e958edaddd77936ed5cbf1579a017a587c69df1c0ec1bc5a29d0e252244998f91701c776d63f796dd6dc8d8296b85b1b802e430f48e4e8580261849591980fee8cd534c622942de5d70865663ae6ce65571200cf5e3148ca65ec06ffb3802453b78d3e112b10b386d757eb59003c4a7df43e64d5aadaed7a2d5fde15570511ec691cc92378253c44d9e26a194a1ff7d1f2b2659b3b8e6793e1f185633d4c6e17c81171e1d8f7c067da965e128b7810b230cec8880cb38416287f8676e88cacf7d86847865258a6d6db5378044d9ba78de9668c5e6320b6fed0ab7efe61191b8c749a351ebea7c48cdb55ce99250c1cd4c07bba00172845d8f46b3246a2d63debb02b058e526ff14bdb7a59b74dc1b3734723488d9b6d67be932c19d5e8da155f634f221e18d74524dc259fd862a143d4817de17d30f16ed2687929e73f387e9397415fcc74007821dd1a831e9da418794a92c7061de920eeb741edb4774334d8c8362f6c334c884cdebc8996917f9ea29356644ecd8945aceece8c44120730acf657afd64b02dde6e1e9e84a24abaa8658d8715d32e21ed51f1c548123155f4c88bbc8722eecbfbde311aaaa543d6c2f87bda69ac2d15a657a6fe8dfbc01e0571a8038c4a54373efe48e313a540cb86ed557b3041fdf4b5a95327d00e1ae1210cf10255c97720b11e5a5d52aa887812801789ec36413abb9ab204c79d2b9030a6f1605730133db3de761c5d96f779f5167df24f0cc72e33e5e849f83f1ff1572b9b11301c78346faeae80962a4e2dce1a1cd5104dc244b04ff4a852b5c3232c5dee7749500de87f1ec34fa7adacd8f11fc8efe29f4d7115fd2e7688e06b72f66043f9c2c4a1e5d64ec7af4291bcd47e2f7776a4332fd557f2ec54b631988ae3355d216334b43cd69ec9be4c081747bc436f9214d7af6693b43ef7c7af9cf6074c973b00efd34425eee8b2a0c8774b2ecca257da63053a9bc84ea4aac39026c53e6efcc56e99a22c3eece4848cd49ca360335e44c7f8febb42349649885fc6a945f97ed09e79081f5f1a6ed4877497aee8f121b7cb20768859bb785393d5dc91d1b2470408e7d3ae8f2e08df6880d599f89c5b4d5497164ab4489e79c233555c53031a90b02d11f51f4b871a9b2e0b43dd82576d80d178048c95d62876bc8c832f5d874f74e830336f4f4d7a9d1fd337b7a6d298d7d7271ab8b489c5304b871b1e8d8f1f1719198c2f6d6f68c4d97dd4270d909c97712cc4ce1098aecc9821ef8356e38cdc7f12b43f874e0c5e423b8dcf3ec9bc74de93af2cd4be092a7ea73859c777685e411f37cfd61dbe6be6c33deb3f372cdf279641d97eb6836ca1d55827b649a1268d3f3b7fda95dfc80c40b06dd680dd4bc8c57e989e1ba9cf36ea1d55ac172bdb0367fb0fdae004e66cf3dee59380f06e27f286fc5772ce658c9e1765867c07a6fdd131bfef2172e461fe90ab99dcb0825d7de72ae6bdfb9b2be0838f13fb7f0b4566cd0

About Threatray

Threatray is a novel malware analysis and intelligence platform. We support all key malware defense use cases, including identification / detection, hunting, response, and analysis. Threatray helps security teams of all skill levels to effectively identify and analyze ongoing and past compromises.

At the core of Threatray are highly scalable code similarity search algorithms that find code reuse between a new and millions of known samples in seconds. Our core search algorithms do not make use of traditional byte pattern matches and are thus highly resilient to code mutations.

Our user facing features are based on the core search technology. They include best of class threat family identification and detection, easy to use real-time retro-hunting and retro-detection, cluster analysis to quickly find relevant IOCs, and low-level multi-binary analysis capabilities. Some of our binary analysis capabilities have been used for the research presented in this report.

Contact us at https://threatray.com/contact-us or https://twitter.com/threatray

More to explore…

New endpoint memory scanner used by CERN

Threatray’s new endpoint memory scanner is used by CERN alongside its intelligence platform.

September 18, 2023

Threatray at Bsides 2022, Binary code as a searchable IOC

Key takeaways from our presentation @ Bsides Zurich by Carlos Rubio, our lead Malware Researcher and Jonas Wagner, co-founder and CTO.

September 25, 2022

Intel 471 and Threatray Announce Joint Research Collaboration

Intel 471, the premier provider of cyber threat intelligence for leading intelligence, security,

December 14, 2022

Ready to find out how Threatray can protect your organization?

Talk to an expert