De-icing IcedID: Decompression and Decryption Methods Explained in an IcedID Attack
- by nlqip
The next step in this process is to convert the decrypted and decompressed data file from binary into a human readable format. The following python snippet provides a regular expression that will roughly split the injects from one another:
import re
regex_res = re.split(‘[x00]{1}[x00-xff]{7}[x00]{2}[x01-xff]{1}’, data[7:])
The steps outlined here can be used on the different webinjects files and command and control (C&C) list files dropped by IcedID.
During an attack, decompression and decryption is an essential step in IcedID’s attack process. Once the decompression takes place, the resulting data file is loaded into the malware’s proxy module. When an infected system visits a website in the target list, IcedID injects the relevant webinjects. The ability to decompress and decrypt these files into a human readable format grants visibility into what sites are being targeted by the malware, and what kinds of web injections are being used during its attacks.
Conclusions
IcedID is an active banking trojan that has been seen collaborating with other malware in the past. IcedID continues to target many different financial institutions, as well as social media sites, search engines, and video streaming. This means that everyone should be aware of the dangers of this trojan. This decompression and decryption technique provides an additional resource and tool for researchers looking to glean more detail from the IcedID samples they may encounter.
Countermeasures
The following security controls are recommended to mitigate these types of attacks:
Source link
lol
The next step in this process is to convert the decrypted and decompressed data file from binary into a human readable format. The following python snippet provides a regular expression that will roughly split the injects from one another: import re regex_res = re.split(‘[x00]{1}[x00-xff]{7}[x00]{2}[x01-xff]{1}’, data[7:]) The steps outlined here can be used on the different…
Recent Posts
- Security plugin flaw in millions of WordPress sites gives admin access
- Phishing emails increasingly use SVG attachments to evade detection
- Fake AI video generators infect Windows, macOS with infostealers
- T-Mobile confirms it was hacked in recent wave of telecom breaches
- GitHub projects targeted with malicious commits to frame researcher