IceID malware infiltrates Active Directory Domain
In a notable IcedID malware attack, the assailant impacted the Active Directory domain of the victim in less than 24 hours, transiting from initial infection to lateral movement in fewer than 60 minutes.
Researchers at Cybereason discovered that the new attack’s infection chain begins with a ZIP archive-based ISO image file, which results in IcedID payload execution. IcedID then establishes persistence by launching a scheduled task and connecting to a remote server to download a Cobalt Strike Beacon and other next-stage payloads. Following lateral network movement, IcedID deploys the Cobalt Strike Beacon to all workstations before deploying the Atera agent.
IcedID, also known as BokBot, is a banking trojan that has been linked to the threat group TA551 and has been used to steal financial information from its victims since 2017. IcedID has recently been used as a dropper for other malware families as well as a tool for initial access brokers, said Cybereason.
According to Cybereason, the attackers borrowed some tactics, techniques, and procedures (TTP) from other groups, pointing to “several” TTPs seen in IcedID attacks attributed to Conti, Lockbit, FiveHands, and others.
The attacker followed a “routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike” on the compromised machine, Cybereason said in a blog post. Exfiltration of the victim’s data started two days after initial infection.
The deployment mechanisms in this case is that when a victim accesses an archive. Victim then double-clicks the ISO file, which creates a virtual disk. Victim then navigates to the virtual disk and selects the only file visible, which is an LNK file. The LNK file then executes a batch file that places a DLL in a temporary folder and runs it with rundll32.exe. Rundll32.exe executes the DLL, which establishes network connections to IcedID-related domains and downloads the IcedID payload. The IcedID payload is finally loaded into the process.
The sources for this piece include an article TheHackerNews
Watch this news on our Youtube channel: https://www.youtube.com/watch?v=GjMOF4F4uSo