ClickCease IceID malware infiltrates Active Directory Domain

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

IceID malware infiltrates Active Directory Domain

Obanla Opeyemi

January 23, 2023 - TuxCare expert team

In a notable IcedID malware attack, the assailant impacted the Active Directory domain of the victim in less than 24 hours, transiting from initial infection to lateral movement in fewer than 60 minutes.

Researchers at Cybereason discovered that the new attack’s infection chain begins with a ZIP archive-based ISO image file, which results in IcedID payload execution. IcedID then establishes persistence by launching a scheduled task and connecting to a remote server to download a Cobalt Strike Beacon and other next-stage payloads. Following lateral network movement, IcedID deploys the Cobalt Strike Beacon to all workstations before deploying the Atera agent.

IcedID, also known as BokBot, is a banking trojan that has been linked to the threat group TA551 and has been used to steal financial information from its victims since 2017. IcedID has recently been used as a dropper for other malware families as well as a tool for initial access brokers, said Cybereason.

According to Cybereason, the attackers borrowed some tactics, techniques, and procedures (TTP) from other groups, pointing to “several” TTPs seen in IcedID attacks attributed to Conti, Lockbit, FiveHands, and others.

The attacker followed a “routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike” on the compromised machine, Cybereason said in a blog post. Exfiltration of the victim’s data started two days after initial infection.

The deployment mechanisms in this case is that when a victim accesses an archive. Victim then double-clicks the ISO file, which creates a virtual disk. Victim then navigates to the virtual disk and selects the only file visible, which is an LNK file. The LNK file then executes a batch file that places a DLL in a temporary folder and runs it with rundll32.exe. Rundll32.exe executes the DLL, which establishes network connections to IcedID-related domains and downloads the IcedID payload. The IcedID payload is finally loaded into the process.

The sources for this piece include an article TheHackerNews

IceID malware infiltrates Active Directory Domain
Article Name
IceID malware infiltrates Active Directory Domain
In a notable IcedID malware attack, the assailant impacted the Active Directory domain of the victim in less than 24 hours.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

Bitdefender releases decryptor for MegaCortex...

Bitdefender experts have created a universal decryptor for victims of...

January 20, 2023