In this intrusion, we observed usage of gmailcom and outlookcom email accounts for Atera agent registration. Use of these 3rd party administrative tools allow the threat actors another “legitimate” means of persistence and access if they were to lose their malware connection.
CUSTOMIZE COBALT STRIKE BEACON INSTALL
The threat actors proceeded to install remote management tools such as Atera Agent and Splashtop. Process injection into explorer.exe was then observed from the Cobalt Strike Beacon. Nltest and net group were utilized to look for sensitive groups such as Domain Admins and Enterprise Admins. Soon after, another round of discovery was performed from the Cobalt Strike beacon focusing on the Windows domain. The IcedID malware then used Windows utilities such as net, chcp, nltest, and wmic, to perform discovery activity on the host.Īfter a gap of almost an hour, a Cobalt Strike beacon was dropped and executed on the beachhead host. The task executed the IcedID payload every one 1 hour. This was followed by the creation of a scheduled task on the beachhead host to establish persistence. Upon execution of the IcedID DLL, a connection to a C2 server was established. This was first reported by Microsoft in April 2021. We assess with high confidence that the “ Stolen Image Evidence” email campaign was used to deliver the IcedID DLL. While remaining dormant most of the time, the adversary deployed Conti ransomware on the 19th day (shortly after Christmas), resulting in domain wide encryption. Along the way, the threat actors installed remote management tools such as Atera and Splashtop for persisting in the environment.
Upon execution of the IcedID DLL, discovery activity was performed which was followed by the dropping of a Cobalt Strike beacon on the infected host.
IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions. In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector.
0 kommentar(er)
