Katie NickelsDec 30, 2022
Colin Cowie

Fake Microsoft Teams website used to download IcedID malware

πŸŒβ€‹ mlcrosofteams[.]top
⬇️​ Downloads .zip containing .msi

#IcedID C2: whothitheka[.]com

This is likely being distributed by #malvertising but I wasn't able to capture the advertisement

193.222.62[.]37 is also hosting fake IRS & Royal mail websites
πŸ¦β€‹ irs-forms[.]top
πŸ¦β€‹ royalmail.orders-info[.]uk

πŸ”—https://www.virustotal.com/gui/file/8ed2026fd98d54f9ad85d721223b60bd8b6c1362faeb4c24492d2bb63a7c357b/details
πŸ”—https://urlscan.io/result/a0e5de3e-75ea-46f4-8340-0ab09c440850/
πŸ”—https://urlscan.io/ip/193.222.62.37

#CTI #threatintelligence #ThreatIntel #Malware

VirusTotal

VirusTotal

Dec 29, 2022 at 10:26pmWeb
Show thread0bondo7Dec 30, 2022
@th3_protoCOL Why haven't the other engines made a similar detection or determination given the file because is clearly malicious?
Show threadColin CowieDec 30, 2022
@0bondo7 static detections shown on VirusTotal is just the tip of the iceberg of detection possibilities! Some av products are better at detecting the underlying icedid payload (DLL) instead of the delivery package (.zip/.MSI in this case)
Show thread0bondo7Dec 30, 2022
@th3_protoCOL what you said makes lots of sense. Thank you
Show threadπ™²πš˜πš•πš’πš— π™Άπš›πšŠπšπš’Dec 30, 2022
@th3_protoCOL Ignore me today. It's one of those days....
Show threadπ™²πš˜πš•πš’πš— π™Άπš›πšŠπšπš’Dec 30, 2022

@th3_protoCOL More #IcedID domains:

item-tracking[.]link
mlcrosofteams[.]top
my-deliveries[.]link
orders-info[.]uk
parcel-info[.]link
royaimaii[.]link
royaimail[.]uk
royalmaii.co[.]uk
royalmaii[.]uk
vvv-discord[.]top
vwv-discord[.]top
vwvv-discord[.]top
webeex[.]top
wvvw-citrix[.]top
wvw-adobe[.]top
wvw-irs-forms[.]top
wwv-slack[.]top
www-adobecom[.]top
www-anydeskcom[.]top
www-basecamp[.]top
www-fortlnet[.]top
www-llbreofflce[.]top
www-microsofteams[.]top
www-obsproject[.]top
www-onenote[.]top
www-realvnc[.]top
www-thunderblrd[.]top
wwww-citrix[.]top
wwww-irs-form[.]top
wwww-teamvlewer[.]top
Show threadOSIRIS 🎸 πŸ’» πŸŽ™οΈDec 30, 2022

@th3_protoCOL Incredible that you can use Teams as bait...

But yeah, I'm sure there's a correlation between low tech skills/low security awareness in an organization and using Teams.

Show threadJ$Dec 30, 2022
@th3_protoCOL Some of us would consider Microsoft Teams (well, Microsoft Anything, for that matter) malware already. Making this just another layer of malware upon malware.
Show threadSamDec 30, 2022
@th3_protoCOL the irony is that the malware is probably better quality software than MS Teams
Show threadStrykerDec 30, 2022
@th3_protoCOL ?! Do you have more examples of malvertizing? Is it just a splash / landing page that looks authentic, or is it also real ads being bought on search engines that lead to a phishing / malware link?
Show threadColin CowieDec 30, 2022
@StrykerNoStriking real ads that look convincing! @ian_kenefick put together a great write up on this campaign https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware

We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.

Trend Micro
Show threadIan KenefickDec 30, 2022
@th3_protoCOL @StrykerNoStriking thank you @th3_protoCOL and please don’t hesitate @StrykerNoStriking to reply or dm for additional info. Happy to help.
Show threadStrykerDec 30, 2022

@ian_kenefick @th3_protoCOL Ooohhhh sir, you may regret that offer... I'm downright irritating my CISO and his deputy lately with questions. ^^;

Saving this as a podcast episode concept, so don't be surprised if I ding you in a month. (Would you want to come on as a guest? I can't pay, but it's a fun time! #Exposure #ImSoSorry πŸ˜…)