Jump to content

IcedID Being Distributed Through ISO Files

David H. Lipman

Recommended Posts

IcedID Being Distributed Through ISO Files


The ASEC analysis team has been introducing various types of malware that were distributed through ISO files. And the team recently discovered the distribution of IcedID (module-type banking malware) through ISO files. There were two methods to distribute the malware. The first one used the same method employed by the Bumblebee malware that was discussed in the previous post. The second method is similar to the first one but had script files and the cmd command added.

The first type used the same process for distribution and execution of IcedID as that of Bumblebee discussed in the previous post. It used the email hijacking technique to snatch normal emails and send replies to users with malicious file attachments (see the figure below). The file is compressed and protected with a password written in the email.

image-58.png?resize=1024%2C608&ssl=1 Phishing email


Inside the compressed file is an ISO file. Running the ISO file creates an lnk and a DLL file in the DVD drive, and the malicious DLL is loaded through the lnk file. The DLL is set as hidden, and the process for loading is identical to that of Bumblebee.

  • lnk command
    %windir%\system32\cmd.exe /c start rundll32.exe hertbe.dll,#1
image-59.png?resize=584%2C48&ssl=1 Malicious files created upon running the ISO file


image-60.png?resize=444%2C497&ssl=1 lnk properties


The loaded DLL is IcedID. Similar to Emotet and Dridex, IcedID is a banking malware that performs malicious behaviors by downloading the main module. The DLL’s C2 is as follows:

  • C2

The second type includes additional files inside the ISO file besides lnk and DLL. Inside the ISO are an lnk file and two folders as shown below.

image-61.png?resize=584%2C93&ssl=1 Files inside the ISO file


image-63.png?resize=580%2C139&ssl=1 Files inside “them” folder


The lnk file runs the worker.cmd file inside “them” folder.

  • lnk command
image-62.png?resize=445%2C496&ssl=1 lnk properties


The worker.cmd file executed by the lnk file runs the worker.js file existing in the same folder with the argument “l32”.

image-64.png?resize=186%2C33&ssl=1 Internal code of worker.cmd


The worker.js file combines the two strings “l32” (received as an argument) and “rundl” to ultimately load the then.dat file inside the same folder through rundll32.exe.

image-65.png?resize=670%2C66&ssl=1 Internal code of worker.js


The loaded then.dat file is a DLL file (IcedID). Its C2 and packets are shown below. The second type ultimately loads a DLL using the lnk file in the same method of the first type, while going through additional steps.

  • C2
image-66.png?resize=1024%2C620&ssl=1 Packet upon connecting to C2


There is a recent increase in the distribution of malware through ISO files. As attackers are also using a method of sending replies after snatching normal emails, users need to take caution and refrain from opening attachments. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.


PLEASE read the entire article on asec.ahnlab.com.

Edited by David H. Lipman
Fixed content that got munged
  • Like 2
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.