In a recent incident, within just 24 hours of initial access, the IcedID (aka BokBot) malware was used to successfully penetrate the Active Directory domain of an unnamed target.
The attack employed tactics similar to those utilized by other groups, such as Conti, to achieve its objectives. IcedID is a type of malware that is specifically designed to steal financial information from its victims.
It is often referred to as a banking trojan, as it is typically used to target individuals and organizations with the goal of stealing sensitive financial information such as:-
IcedID typically spreads through phishing emails or malicious websites, and once it infects a victim’s device, it can gain access to sensitive information by capturing keystrokes, taking screenshots, and stealing data from the victim’s web browser.
Once the malware has obtained the desired information, it can exfiltrate the data to the attackers’ command and control server, where it can be used for financial fraud or other malicious activities.
TA551 has been identified as the threat group associated with this malware since at least 2017 and has been active since then.
A timeline that shows the various actions the attacker took during the investigation by the Cybereason team, is shown below:-
There are a number of deployment mechanisms that have been observed, including:-
Since Microsoft decided that it would block macros from Office files downloaded from the web, there have been an assortment of attacks involving the delivery of IcedID leveraging a variety of methods.
It then downloads a new payload for follow-on reconnaissance activity, including Cobalt Strike Beacon, via a scheduled task and establishes persistence on the host.
Additionally, it executes the same Cobalt Strike Beacon and installs an Atera agent on every workstation across the network. In the event that the attackers’ initial persistence mechanisms have been discovered and remedied, attackers can use IT tools like this to create a new ‘backdoor’ for themselves.
It is more likely that these tools will be overlooked as false positives by antivirus and endpoint detection and prevention software.
A C# tool called Rubeus is also downloaded through the Cobalt Strike Beacon in order to steal the credentials of the users. The attacker will then be able to move laterally to one of the Windows servers that has domain administrator rights and take over that server.
An attack on DCSync is then staged using the elevated permissions and the elevated permissions are weaponized.
A legitimate piece of software, named netscan[.]exe, was also included as part of the attack to scan the network in search of the lateral movement of the attacker.
As well as exfiltrating directories of interest to MEGA cloud storage, the attacker used rclone file synchronization software.
There are a number of measures that are suggested to help contain IcedID activity if it is observed in your environment:-
Network Security Checklist – Download Free E-Book
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…