Read Time:1 Minute, 57 Second
The recent malware attack on an unnamed target was a primary wake-up call for companies worldwide. The IcedID malware has been wreaking havoc on businesses of all sizes, compromising their Active Directory domain and giving hackers access to sensitive information.
This time, however, the attack was particularly concerning because it was able to compromise the business’s entire Active Directory domain within just 24 hours. This is a concise amount of time for a malicious attack to gain complete access, showing just how sophisticated this new malware has become.
“Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,” Cybereason researchers stated in a report published this week.
The said malware was first discovered in 2017 as a banking trojan. It is likely similar to Emotet, TrickBot, and Rasberry Robin.
A ZIP archive containing an ISO image file causes the IcedID payload to be executed, ultimately infecting the host. The malicious software establishes persistence on the host through a scheduled job. It connects to a remote server to obtain next-stage payloads, such as Cobalt Strike Beacon, for subsequent surveillance operations.
Additionally, it moves laterally throughout the network. Then, it executes the same Cobalt Strike Beacon in all those workstations. After that, it proceeds to install Atera agent, a legitimate remote administration tool, as a redundant remote access mechanism.
“Utilising IT tools like this allows attackers to create an additional ‘backdoor’ for themselves in the event their initial persistence mechanisms are discovered and remediated,” the researchers said.
“These tools are less likely to be detected by antivirus or EDR and are also more likely to be written off as false positives.”
The threat actor can then proceed laterally to a Windows Server with domain admin capabilities by using the Cobalt Strike Beacon as a conduit to download the C# program Rubeus for credential theft.
Other tools also include netscan.exe. It is a legitimate utility used in ransomware operations with the Atgera agent by Conti and LockBit.
The information is released at the same time as Team Cymru researchers are shedding further insight on the BackConnect (BC) protocol, which IcedID uses to supply additional functionality after compromise, including a VNC module that offers a remote-access channel.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
