Professional Documents
Culture Documents
IcedID Botnet (Malvertising Campaign)
IcedID Botnet (Malvertising Campaign)
Summary
• Since December 2022, the abuse of Google pay per click (PPC) ads to distribute IcedID via
malvertising attacks. This variant is detected as TrojanSpy.Win64.ICEDID.SMYXCLGZ. Advertising
platforms like Google Ads enable businesses to display advertisements to target audiences for the
purpose of boosting traffic and increasing sales. Malware distributors abuse the same
functionality in a technique known as malvertising, wherein chosen keywords are hijacked to
display malicious ads that lure unsuspecting search engine users to downloading malware.
• Malicious actors used malvertising to distribute the IcedID malware via cloned webpages of
legitimate organizations and well-known applications. Recently, the Federal Bureau of
Investigation (FBI) published a warning pertaining to how cybercriminals abuse search engine
advertisement services to imitate legitimate brands and direct users to malicious sites for financial
gain.
• Attackers are selecting and ranking keywords used by popular brands and applications to hijack
Google pay-per-click (PPC) Ads, displaying malicious ads above the organic search results.
• Trend Micro researchers revealed that attackers are hijacking the keywords used by Adobe,
AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US
Internal Revenue Service (IRS), and others.
• Attackers abuse the legitimate Keitaro Traffic Direction System (TDS) to filter researcher and
sandbox traffic and redirect potential victims to cloned web pages of legitimate organizations and
well-known applications.
• If a user clicks on the Download button, a ZIP file containing a malicious Microsoft Software
Installer (MSI) or Windows Installer file will be downloaded on the user’s system.
December 2022 | Izzat_csoc
• The file works as an initial loader, fetching the bot core, and ultimately, dropping a backdoor
payload.
From investigation, the IcedID distributors hijacked the keywords used by these brands and
applications to display malicious ads:
• Adobe – A computer software company
• AnyDesk - A remote control application
• Brave Browser - A web browser
• Chase Bank - A banking application
• Discord - An instant messenger service
• Fortinet - A security company
• GoTo - A remote control application
• Libre Office - An open-source alternative to Microsoft Office
• OBS Project - A streaming application
• Ring - A home CCTV (closed-circuit) manufacturer
• Sandboxie - A virtualization/sandbox application
• Slack - An instant messaging application
• Teamviewer - A remote control application
• Thunderbird - An email client
Infection chain
The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately,
dropping the payload. The payload is typically a backdoor.
• Once the user selects the “Download” button, it downloads a malicious Microsoft Software
Installer (MSI) or Windows Installer file inside a ZIP file in the user’s system.
4. Execution
• “MsiExec.exe” executes (parent process) (MITRE ID T1218.007 - System Binary Proxy
Execution: msiexec)
• “rundll32.exe” is spawned (MITRE ID T1218.011 - System Binary Proxy Execution:
rundll32.exe)
• “rundll32.exe” runs the custom action “Z3z1Z” via
“zzzzInvokeManagedCustomActionOutOfProc” (MITRE ID T1218.011 - System Binary Proxy
Execution: rundll32.exe)
• The custom action spawns a second “rundll32.exe” to run the IcedID loader
“MSI3480c3c1.msi” with the “init” export function (MITRE IDs T1027.009 - Embedded
Payloads and T1218.011 - System Binary Proxy Execution: rundll32.exe)
December 2022 | Izzat_csoc
• Internet users should be cautious when dealing with promoted search results since they
carry all the signs of legitimacy. In addition, the FBI recently issued a warning about this type
of ad campaign.
• An ad-blocker on your web browser will filter out promoted results from Google Search,
helping you block these campaigns.
• If you need clarification on the official domain, you can find it on the Wikipedia page of the
software project you’re looking for.
• For direct access to a particular software project’s website, bookmark the URL if you visit it
frequently. In most cases, abnormal file size indicates that the installer you’re about to
download is malicious.
• These different campaigns have been going on for several weeks already. Although we don't
have statistics to figure out how many people were exposed
• The ads target popular keywords (which also indicates that the threat actors are not
opposed to paying a premium)
• Reported the malicious ads and flagged them under the "An ad/listing violates other Google
Ads policies" category.
• The browlock domains themselves have such a short lifespan that it is practically useless to
act upon them.
• Turn on the gTLD domains block in the settings for our Browser Guard browser extension.