How an IcedID Loader Attack Unfolds: A Case Study in EDR Evasion

Dr. Srinidhi Varadarajan, Chief Scientist, Elastio

In the relentless fight against ransomware, security teams face the constant challenge of thwarting malicious activities that evade the defenses of Endpoint Detection and Response (EDR) systems. This article delves into EDR evasion, with a particular focus on the IcedID loader—a case study that vividly illustrates the sophisticated tactics employed by cyber criminals.

IcedID Loader: A Case Study in EDR Evasion

IcedID, a loader used by various malware families including Quantum, exemplifies this sophistication. Attackers distribute emails pretending to contain a ‘corporate document’ often labeled with a familiar name such as ‘strategy’ and a date stamp – a common practice for versioning documents that doesn’t raise any flags for the recipient. However, the document is a decoy; it’s password-protected not for security, but to conceal malware.

The trickery lies in the password’s uniqueness; it varies with each email, making the malware-laden document appear different every time. This variability renders signature-based scanning and antivirus (AV) detection ineffective, as the file does not match any known malware signatures.

The Attack Unfolds

Stage 1 – Embedded malware is activated

When the recipient opens the document, they are prompted to enter the password provided in the email. Once entered, the document claims to be from an outdated version of Word and prompts the user to click ‘enable editing’ to see the rest of the document. This is a critical moment as, enabling editing activates macros within the document, initiating the download of the malware’s second stage.

 Stage 2 – The PNG Deception

For the second stage, IcedID downloads a file, such as a PNG, onto a directory. This PNG image, when opened, is nothing more than a transparent background, but hidden within is a DLL (Dynamic Link Library), a typical Windows library that any dynamically linked applications use.  In a process called “steganography,” the loader code extracts what the DLL hidden inside the PNG. 

 Stage 3 – DLL Injection and Further Infection

The loader exploits a legitimate Windows process, runDLL32, to inject the malicious DLL into the system’s memory. It’s from this vantage point that the DLL reaches out to the command and control server and downloads the actual malware executable.

In Conclusion

With these multi-step attacks designed specifically to  sidestep conventional defenses, the need for constant vigilance and dynamic defensive strategies becomes glaringly evident. Traditional antivirus and EDR solutions are important and essential – but they are not enough to counter these sophisticated threats. The key to staying at least one step ahead of these threat actors and defending your organization in today’s threat landscape requires a strategy that leverages behavioral-based detection and a proactive and adaptable posture.

For more on this topic, check out our webinar – Why XDR is not enough to stop ransomware attacks