From An IcedID Infection to Domain Compromise in Under 24hrs
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: Cybereason
The Cybereason threat analysis team provided research of an IcedID infection resulting in the compromise of the organization's active directory domain in under 24 hours, and data exfiltration in under three days following the initial infection. IcedID is assessed by Cybereason to be "used more as a dropper for other malware families and as a tool for initial access brokers." Analysis of the intrusions begins with a user executing a compressed zip archive containing an ISO and shortcut (LNK) file executing a batch script and malicious DLL to download the IcedID malware. Rundll32 was used prominently in the initial stages executing the initial DLL file in the TEMP directory, running IcedID payloads, creating a scheduled task, and calling a cmd process to download additional scripts.
Cobalt Strike launches using regsvr32, after the initial foothold is established. A rountine usage of Cobalt Strike was observed following reconnaissance, credential access and lateral movement resulting in a standardized attack flow. Throughout the post-exploitations, influences of various threat groups were found based on their tactics, techniques and procedures (TTPs). "Several of the TTPs we observed have also been found in attacks attributed to Conti, Lockbit, FiveHands, and others. Not only does this show a trend towards attackers sharing ideas across groups, but this also demonstrates how the ability to detect the techniques and tactics of one group can be applied to detecting others." To move laterally, the threat actors used WMIC and for credential access, a Rubeus tool was used for Kerberoasting and DCSync to dump credentials. The attackers ceased activity following domain compromise with the next majority activity of a Citrix server login 26 hours after DCSync was used. To establish an additional backdoor, the attackers installed the Atera remote administration tool a Conti tactic and and exfiltrated data using a renamed Rclone process similar to Lockbit.
- IcedID Infection with Cobalt Strike, Rubeus/DCSync & WMIC
Anvilogic Use Cases:
- Executable Create Script Process
- Rundll32.exe as Parent Process
- Potential DCSync