The next step in this process is to convert the decrypted and decompressed data file from binary into a human readable format. The following python snippet provides a regular expression that will roughly split the injects from one another:

import re

regex_res = re.split(‘[x00]{1}[x00-xff]{7}[x00]{2}[x01-xff]{1}’, data[7:])

The steps outlined here can be used on the different webinjects files and command and control (C&C) list files dropped by IcedID.

During an attack, decompression and decryption is an essential step in IcedID’s attack process. Once the decompression takes place, the resulting data file is loaded into the malware’s proxy module. When an infected system visits a website in the target list, IcedID injects the relevant webinjects. The ability to decompress and decrypt these files into a human readable format grants visibility into what sites are being targeted by the malware, and what kinds of web injections are being used during its attacks.

Conclusions

IcedID is an active banking trojan that has been seen collaborating with other malware in the past. IcedID continues to target many different financial institutions, as well as social media sites, search engines, and video streaming. This means that everyone should be aware of the dangers of this trojan. This decompression and decryption technique provides an additional resource and tool for researchers looking to glean more detail from the IcedID samples they may encounter.

Countermeasures

The following security controls are recommended to mitigate these types of attacks: