CyberDefenders —IcedID Lab Walkthrough
A Cyber Threat Intelligence Challenge using VirusTotal, MITRE ATT&CK, and Recorded Future Triage.
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog searching for a comprehensive guide to the IcedID Lab from CyberDefenders, you’re in the right place. Prepare to dip your toes into the world of cyber threat intelligence!
In this scenario, we’re investigating a sample of the IcedID banking malware. Our goal is to understand how it operates and identify the threat actor behind it. Having this intelligence can help our team stay one step ahead of this potential threat.
To analyze the sample, we’ll leverage VirusTotal and Recorded Future Triage (tria.ge) to review previous analysis results about the malware. Then, we’ll pivot to MITRE ATT&CK, a global knowledge base of adversary tactics and techniques, to determine which threat actors are linked to the malware. Sounds like fun, right? Let’s get into it!
And if you find this walkthrough helpful — whether it levels-up your skills, gets you over a stumbling block, or serves as a handy reference — please give it a clap and consider following me for more content like this.
Thanks for reading and going on this investigation with me!
Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/icedid/
Challenge Scenario:
A cyber threat group was identified for initiating widespread phishing campaigns to distribute further malicious payloads. The most frequently encountered payloads were IcedID. You have been given a hash of an IcedID sample to analyze and monitor the activities of this advanced persistent threat (APT) group.
Setup the REMnux Analysis Environment & Extract the challenge file:
Safety first! When working with lab/challenge files from CyberDefenders (or any educational lab/challenge/range), it’s important to be responsible and stay safe by interacting with potentially malicious files in a dedicated, isolated virtual machine environment. For this challenge I’m using REMnux, a specialized Linux distribution for malware analysis.
To keep this write-up focused, I’m going to skip a step-by-step setup directions of REMnux, but if you’d like to set up your own environment, please follow the guide provided by REMnux directly. For reference, I used the virtual appliance method:
Once we have a safe virtual environment created, updated, isolated, and snapshotted, we can extract the challenge file and start the investigation!
Question 1: What is the name of the file associated with the given hash?
Let’s kick off this challenge by extracting the challenge file using the password linked in the challenge.
Once extracted, we’ll see the file, hash.txt, which contains a file hash of an IcedID malware sample. According to MITRE ATT&CK, this malware “is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017”.
With the unique file hash in our possession, we’ll to external services to gather threat intelligence and learn more about the malware. We’ll start by using VirusTotal first.
191eda0c539d284b29efe556abb05cd75a9077a0In your web browser, navigate to the VirusTotal site and paste the file hash into the search field.
To answer Question 1, navigate to the “Details” tab and scroll to the “Names” section, to find the file names associated with the hash. One of them matches the format given by the question.
Question 2: Can you identify the filename of the GIF file that was deployed?
Next, to answer Question 2, we need to identify the GIF downloaded by the malware which we can locate in several places on VirusTotal.
The first spot we can check is on the “Relations” tab under the “Contacted URLs” section. There we’ll find several URLs that point to the file, 3003.gif.
Another area that we can discover this information is on the “Behavior” tab under “Network Communication” > “HTTP Requests,” where network communications are documented after the file has been executed in the VirusTotal sandbox. We’ll see the same references to the GIF file that we saw before.
Question 3: How many domains does the malware look to download the additional payload file in Q2?
We’ve already stumbled on the answer in the previous question when we examined the “Contacted URLs” section. Looking for URLs hosting 3003.gif, we’ll note five listed domains:
Question 4: From the domains mentioned in Q3, a DNS registrar was predominantly used by the threat actor to host their harmful content, enabling the malware’s functionality. Can you specify the Registrar INC?
Now, let’s take a closer look at the five domains we discovered in the previous question, focusing on the “Contacted Domains” section. This table gives us some additional, high-level information including the domain registrars for each entry.
To answer Question 4, we need to determine the predominant registrar among the five hosting the GIF file. From the table, we’ll identify that 2/5 used NameCheap.
Question 5: Could you specify the threat actor linked to the sample provided?
Since we know the malware family name already, we now need to hunt for the threat actor group that deploys this malware. For this, we can turn back to the MITRE ATT&CK knowledge base page for IcedID, which will point us in the right direction.
Scroll down to the “Groups That Use This Software” section to identity the groups linked to the software. Let’s pick the first one (G0127) since it has the most references available.
Once on the page, we can see a description of TA551, also known as GOLD CABIN.
Question 6: In the Execution phase, what function does the malware employ to fetch extra payloads onto the system?
For the final question, let’s jump back to VirusTotal and hunt for execution tactics within the results. Select the “Behaviors” tab, scroll down to the “MITRE ATT&CK Tactics and Techniques,” and expand the “Execution” section.
After a cursory scan, we’ll spot a potential hit for the function we are looking for, UrlDownloadToFile. Next, let’s take this a step further and check the malware’s file hash on another source, Recorded Future Triage (Tria.ge).
After submitting the file hash, let’s see what we can discover by selecting any of the available reports. Then, within the report, navigate to the Malware Config section which displays the source of the file.
We’ll see within the malware’s configuration a similar function to the one we identified on VirusTotal, calling the URLs previously identified. This gives us a high degree of confidence that we’ve found the right function. Now let’s submit the answer and wrap up this investigation!
Conclusion:
Job well done! After collecting the IcedID file hash, we moved over to VirusTotal to learn more about the next stage payload downloaded by the malware and where it was hosted. Then, we leveraged MITRE ATT&CK to identify which threat actor group the malware is associated with. Finally, we reviewed the same sample on Tria.ge to gain additional indicators of how the payload is downloaded. We’ve now put the pieces together and can provide our team with context and indicators of compromise to watch out for! Having completed our objectives, let’s close out this walkthrough of the IcedID Lab.
A big thank you to CyberDefenders, for another engaging lab. I always keep a threat intelligence challenge in the rotation. I believe that experience with tools like VirusTotal, MITRE ATT&CK, and Tria.ge is a fundamental skill in this field. Hands-on practice with these tools can be especially beneficial when time is of the essence during incident response or when defending against a specific threat actor. I don’t often get the opportunity to work with Tria.ge, but every time I encounter it, I’m really impressed with the output and results — I’ll definitely turn to this tool more often in the real world!
Thanks for your support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
VirusTotal: https://www.virustotal.com/
MITRE ATT&CK — Software — IcedID (S0483): https://attack.mitre.org/software/S0483/
MITRE ATT&CK — Groups — TA551 (G1027): https://attack.mitre.org/groups/G0127/
Recorded Future Triage Reports: https://tria.ge/s?q=d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116d
