IcedID is a modular banking trojan typically used to gather web credentials and financial information through sophisticated man-in-the-browser attacks, as well as serve as a dropper for other malware. It’s been in the news recently as upticks of attacks using IcedID have been seen in the wild. IcedID is a complex adversary, being polymorphic, encrypting DAT files while at rest, it uses encryption keys unique to the client and file IDs. IcedID uses a mix of web injection, proxies, and redirection to present victims with impersonated banking sites, collecting credentials, and passes them through to the legitimate site for verification – including MFA details.
Gootloader is considered an Initial Access as a Service platform, providing access to networks within everything from the U.S. Military and Government networks, to organizations within a wide range of industries along with their suppliers.
These two together pose a risk to organizations, where corporate online banking of any kind is at risk, making this an extremely valid example for cybersecurity practitioners to better understand the current state of how JavaScript-based malware is utilized today to deliver malware.
In this real training for free session, 4-time Microsoft MVP, Nick Cavalancia, takes my seat as he first discusses:
- The history of Gootloader: from banking trojan to IAaaS provider
- A look at attacks that have leveraged Gootloader
- Mapping Gootloader to MITRE
Next up, you’ll hear from James Dunne, Associate Detection and Response Analyst at Rapid7, as he performs a live malware analysis, demonstrating the first stage Gootloader JavaScript payload and the second stage PowerShell execution that result in the loading of IcedID out of the Windows Registry using x64dbg.
James’ live analysis will include discussing:
- An overview of Gootloader attack chain
- The deobfuscation of Gootloader JavaScript payload using python / analysis of JavaScript functionality and uncovering c2 servers
- An analysis of second stage PowerShell payload that gets written to the registry and creation of scheduled task
- An analysis of .NET stager to deobfuscate payload stored in registry
- The manual unpacking of IceID with x64dbg
- Detection of an IcedID sample using a Yara rule
- Uncovering IcedID c2 with x64db setting breakpoints
This Real Training for Free session will be chock full of practical technical detail! Register today!