Tuesday, October 19, 2021

Tracking Recent IcedID Campaign using Halogen

Overview

Tracking malware campaigns can be a fun, yet challenging process as there is always changes happening on the attacker side forcing defenders to constantly monitor and evolve around changes. One of the tricks for coming up with a robust detection is the resilience and longevity of that detection. If a defender can develop a signature that lasts through several campaigns across multiple days that may qualify as a successful detector. One of the key questions after a detection is made is considering how much resources were used to build the logic such as analyst time, collected data used to make decisions for the detection, scripting or programmatic code used to generate signatures for new samples. By weighing these types of inputs to the detection, you may get a better idea on the return on investment (ROI) for the detection which can definitely be expedited with automation.

In this post, we will cover a Python tool called Halogen, released by the security team at Target that allows analysts to auto-generate YARA rules based on lure images stored inside different Office documents. We will take a recent IcedID campaign and leverage the tool to build a signature on a lure template.

Detection Process

Before we start using the tool, let’s talk through the problem and what we are trying to achieve as a defender. Part of the weaponization phase for an adversary typically includes an attached Office document with the goal to entice a user to enable macros or click an embedded hyperlink. Below is an example lure template:

Example Lure Template

For these criminal campaigns, these lures are built and sent out everyday, typically the subjects, senders, recipients, email infrastructure might change, but there may be data that carries over into multiple campaigns such as the metadata within the Office files or in this case the images that are embedded in the document.

For this specific IcedID campaign, we will take a look at this sample. Since this file is part of the Office Open XML format, we can access the stored image by unzipping the file.

Unzipped Directory Contents of IcedID Sample

Within the media directory, we can find the lure template that is used within IcedID phishing campaigns.

Directory Contents Showing Lure Template

From looking at this individual graphic visually, it definitely is pretty generic and follows the common trend of enticing users to enable macros which will start the IcedID infection chain.

IcedID Lure Template

If we look at the image from a byte perspective, a signature or fingerprint can usually be developed from looking at the beginning number of bytes within this PNG image file. The first 8 bytes represent the PNG image magic-header (89 50 4E 47 0D 0A 1A 0A). After these bytes, the data is represented in chunks per the PNG spec.

  • Length – 4 byte unsigned integer listing the size of bytes in the chunk data field
  • Chunk type – 4 byte chunk type code
  • Chunk data – bytes belonging to the chunk
  • CRC – 4 byte CRC (Cyclic Redundancy Check) determined based on previous bytes,
PNG Header

After the PNG header, data is represented inside the IHDR chunk then the IDAT chunk follows afterwards. These bytes combined can makeup a unique toolmark that carries across multiple campaigns leading to future detections and allows tracking of an adversary/campaign.

Halogen

Released last year by the team at Target, Halogen is an effective tool to generate YARA signatures based on the image data embedded in a document. In order to get started, download the repository and install the required dependencies. After the repo is set-up, download the malicious sample on a local test VM and run the following command:

python.exe halogen/halogen.py -f "C:\tmp\95af2e46631be234a51785845079265629462e809e667081eb0b723116e265f3"`

Halogen does all the work previously described parsing out the header and the following PNG chunks, the end result is a YARA rule like below. The critical component for the detection logic is tied to $png_image_value_0 which represents the unique byte sequence from the beginning of the PNG file.

{
    meta:
        tlp = "amber"
        author = "Halogen Generated Rule"
        date = "2021-07-25"
        md5 = "b1254d3fa38e2418734d4a2851fc22a6"
        family = "IcedID"
        filename =       "C:\tmp\95af2e46631be234a51785845079265629462e809e667081eb0b723116e265f3"
        scope = "['detection', 'collection']"
        intel = "['']"
    strings:
        $png_img_value_0 = {89504e470d0a1a0a0000000d49484452000003e4000000d60802000000d765df7d000001266943435041646f62652052474220283139393829000028cf63606032707471726512
6060c8cd2b290a72775288888c5260}
}

If we go back to the PNG image, the bytes used for the Halogen YARA signature are highlighted below.

YARA Signature inside PNG File

It’s a really straightforward yet effective methodology to start tracking different lure templates and campaigns. Since this sample is from a previous IcedID campaign from June, we can take this byte sequence and get immediate feedback from VirusTotal with a VTGrep search based on data in the last 90 days.

VirusTotal Results

In total, there were 53 samples found ranging from files that appear to be from June 2nd to June 21. While this is a subset of data, it’s apparent that this detection for the lure template does have some longevity and can enable tracking across multiple campaigns. While the detection overlaps across multiple days, it should be noted it’s not a catch-all for all IcedID lures, there is likely other lures mixed in with this template so we would need to collect all the templates on a daily basis and continue to follow and build off each signature.

Conclusion

In this post, we reviewed a methodology used to track malware campaigns by identifying the beginning bytes inside a PNG file. Then we reviewed how to use Halogen to auto-generate a signature based on these unique bytes. This is a good exercise for analysts to go through this detection process workflow and understand the inputs and outputs to a detection and determine the resilience of the detection. Signatures can get a bad rap nowadays, but even if the shelf life of the signature lasts a few hours or days it might be worth trying it out especially if you can detect/prevent something when it takes so little time with a tool like Halogen.

SHA256: 95af2e46631be234a51785845079265629462e809e667081eb0b723116e265f3



Latest news
Related news