Mapping a Vast and Currently Active IcedID Network
BokBot (also known as IcedID) started life as a banking trojan using man-in-the-browser attacks to steal credentials from online banking sessions and initiate fraudulent transactions. Over time, the operator(s) of BokBot have also developed its use as a delivery mechanism for other malware, in particular ransomware.
In the past BokBot was itself primarily distributed via the Emotet botnet. Since the takedown of Emotet earlier this year we have been tracking BokBot to see how the actors might react to and seek to exploit the situation for personal gain.
Over recent months we have been posting BokBot IOCs to our Twitter account (@teamcymru_S2) as we identify them. However, in this blog we want to share some of our broader techniques, as well as a brief insight into our recent view of the upward management of BokBot infrastructure. All ‘Tier 1’ BokBot domains and hosting IP addresses, which we have identified over the past six months, are available through our public GitHub.
Our research started with a list of BokBot controller domains, identified in a blog post by FireEye in February:
Pivoting on these domain names within our Passive DNS (PDNS) data holdings, we were able to identify several dozen linked domains, as well as a handful of ‘Tier 1’ hosting IP addresses. A summary of these findings is illustrated in Figure 1 below.
Figure 1: Initial PDNS Pivots
All of the domains we identified in this process used relatively uncommon top-level domains (TLDs) (Figure 2) and were registered through domain name registrars NameSilo and Porkbun. The majority of the Tier 1 IP addresses we identified were assigned to either Digital Ocean or M247.
These three elements (TLD, domain registrar and hosting provider) provide us with a repeating pattern, which gives us a degree of confidence that the identified domains are related.
Figure 2: Most Frequently Occuring TLDs
CERTIFICATE AND BANNER INFORMATION
Looking more closely at the Tier 1 IP addresses hosting these domains, more patterns begin to emerge. Firstly, these IP addresses host a self-signed X.509 certificate with the subject:
CN=localhost, C=AU, ST=Some State, O=Internet Widgits Pty Ltd
Whilst not unique to BokBot hosts, the repeated appearance of this certificate provides another indication that identified infrastructure is linked.
Secondly, we often observed banner information on these IP addresses indicating the use of OpenResty (a web platform based on Nginx). OpenResty has previously been identified as a tool favoured by the BokBot operator(s) for management activities – dating back to 2017.
NETWORK TRAFFIC ANALYSIS
Next, we utilized our network traffic data holdings to look for common peers amongst the Tier 1 IP addresses. Using this methodology, we identified several Tier 2 IP addresses which were used to relay traffic from the Tier 1 IP addresses over TCP/443. The Tier 2 IP addresses hosted banner information indicating the use of OpenResty, similar to the Tier 1 IP addresses.
We subsequently discovered these Tier 2 IP addresses were exchanging network traffic with dozens of previously unknown Tier 1 IP addresses, which we then enriched with PDNS data to identify further BokBot domains. This process becomes repeatable – pivoting between network traffic and PDNS data until all ‘new’ infrastructure identifications are exhausted.
A common attribute amongst the Tier 2 IP addresses was the hosting of an X.509 certificate with a CN value of ‘main.info’. This certificate was first observed on IP 126.96.36.199, assigned to Creanova Hosting Solutions Ltd in Finland, and subsequently observed on a further sixteen Tier 2 IP addresses (Table 1).
Table 1: BokBot Tier 2 IP Addresses
Figure 3: BokBot Infrastructure Discovery Process
We observed the Tier 2 IP addresses in Table 1 being used in the management of BokBot infrastructure over a number of months. However, on 29 April 2021 we noticed a significant drop-off in activity, which has remained consistent to the time of publishing (Figure 3).
Figure 4: Tier 2 IP Address Activity Timeline
In conclusion, while BokBot operations may have been temporarily impacted by the Emotet takedown, our analysis shows they are currently running a vast and active network which encompasses upwards of 1,500 domains hosted on over 250 Tier 1 IP addresses.
We hope that the releasing of these indicators proves helpful in identifying and mitigating existing BokBot activities and also in disrupting the future operations of the BokBot actor(s).
Our findings are summarized in Figure 5 below:
Figure 5: BokBot Infrastructure Overview