Unit 42 finds polyglot files delivering IcedID malware

Threat actors are leveraging polyglot file attacks to evade detection and deliver information-stealing malware, according to new research.

Palo Alto Networks’ Unit 42 threat intelligence team discovered last month an attack technique that starts with a phishing email and combines polyglot file attacks with Microsoft Compiled HTML Help (CHM) file abuse. The sample analysis was published Tuesday in a blog post where Mark Lim, senior malware reverse engineer at Palo Alto Networks, detailed how the infamous IcedID, a malware abused by multiple ransomware gangs, was delivered as the final payload.

Though IcedID was involved in the attack chain that Unit 42 observed, the tactic highlighted a bigger threat as attackers can hide any malware by writing code in multiple languages to evade detection. The technique allows threat actors to bypass antimalware systems that rely on file format identification.

“It is important for defenders not to trust binaries based on their file types since polyglot files such as the one discussed here have more than one correct file type,” Lim wrote in the blog post.

While analyzing the August attack, researchers observed threat actors executing the same CHM file twice in the infection process. They also uncovered a command-and-control URL as one indicator of compromise for IcedID.

“The first execution exhibits benign activities, while the second execution stealthily carries out malicious behaviors,” the blog post read.

The first execution of the malicious CHM file used only the default Microsoft HTML Help executable, while the second used Microsoft HTML Application Host to execute the malicious JavaScript code.

Screenshot of the decoy help window that deploys IcedID malware
Unit 42 detailed an attack chain that allowed threat actors to evade detection and deploy IcedID.

Lim told TechTarget Editorial that the first CHM file acts as a decoy to the users, while the second one carries out malicious behaviors in the background. In this case, the decoy was a Microsoft Customer Service and Support window.

“Malware detection systems that rely on signatures that were based on file format identification might be evaded by the malicious CHM file,” Lim said in an email. “The malicious JavaScript code in the CHM file, given its short length, could easily be blended together with the rest of the legit HTML code in the CHM file.”

Lim confirmed that polyglot files have been used for some time, but warned in the blog post that threat actors continue to evolve their techniques to evade detection.

Unit 42 did not attribute the malicious CHM file to a specific threat group or cybercrime gang. Lim did note that multiple attack groups have used CHM files to conceal payloads written using PowerShell or JavaScript. Those groups include APT41, a Chinese state-sponsored outfit, and Evasive Serpens, an Iranian hacking group also known as APT34 or OilRig.

Source link


About the author


Add Comment

Click here to post a comment

Your email address will not be published.

Gadget Greed