Rewterz Threat Alert – IcedID banking Trojan – Active IOCs
February 21, 2022
Contextual Threat Intelligence, Empowering Organizations By Providing More Insights
February 21, 2022Severity
High
Analysis Summary
The devil ransomware, which is a part of the phobos family of ransomware, are quickly gaining momentum. They infect victim’s files and encrypt them appending the victim’s ID, add a “.devil” extension to filenames, and encrypt their email addresses. For example, a file such as “1.jpg” is renamed to a filename such as “1.jpg.id[1E857D00-2574].[decrypt4data@protonmail.com].devil“, and so on.
The ransomware encrypts the victim’s files and provides instructions on how to retrieve them using said instructions.
In this case, it creates the “info.txt” file and displays a pop-up window (info.hta).
Cyber criminals often attempt to trick people into installing malware by sending emails that are disguised as important or official, but actually contain malicious attachments and/or web links that download malicious files. If opened, these files/attachments infect operating systems with malware.
Some examples of files that are attached to these emails are Microsoft Office, PDF documents, JavaScript files, executable files such as .exe, and archives in ZIP, RAR and other formats. Malicious software is also installed when people open files downloaded through untrustworthy sources. – Tomas Meskauskas
Impact
- File Encryption
- Data Exfiltration
- Credential Theft
- Financial Loss
Indicators of Compromise
Filename
- devilransom[.]exe[.]devil
- installsetupupdate[.]exe
MD5
- b834c44a3e5298a3f23a1355409d2578
- 6c5a3a112b3940c55f8653597b1b7152
SHA-256
- a6ddcbca65d8fdd771f1d9e271a42e601fcebb5e6f6c49ec30113e930b2cd790
- 471a338122025eb481779092de78653df6434715590d741c95e5138c87147488
SHA-1
- ba9fc22891f7480c49ee9e4d9409f833fc9484d8
- 3578eb4cf6c30d3bd779c5e3b1ddbf6a8a2ab3b5
Remediation
- Block all threat indicators at their respective controls.
- Search for IOCs in your environment.