A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals.
“Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,” Cybereason researchers said in a report published this week.
IcedID, also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin.
Attacks involving the delivery of IcedID have leveraged a variety of methods, especially in the wake of Microsoft’s decision to block macros from Office files downloaded from the web.
The intrusion detailed by Cybereason is no different in that the infection chain begins with an ISO image file contained within a ZIP archive that culminates in the execution of the IcedID payload.
The malware then establishes persistence on the host via a scheduled task and communicates with a remote server to download next-stage payloads, including Cobalt Strike Beacon for follow-on reconnaissance activity.
It also carries out lateral movement across the network and executes the same Cobalt Strike Beacon in all those workstations, and then proceeds to install Atera agent, a legitimate remote administration tool, as a redundant remote access mechanism.
“Utilizing IT tools like this allows attackers to create an additional ‘backdoor’ for themselves in the event their initial persistence mechanisms are discovered and remediated,” the researchers said. “These tools are less likely to be detected by antivirus or EDR and are also more likely to be written off as false positives.”
The Cobalt Strike Beacon is further used as a conduit to download a C# tool dubbed Rubeus for credential theft, ultimately permitting the threat actor to move laterally to a Windows Server with domain admin privileges.
The elevated permissions are then weaponized to stage a DCSync attack, allowing the adversary to simulate the behavior of a domain controller (DC) and retrieve credentials from other domain controllers.
Other tools used as part of the attack include a legitimate utility named netscan.exe to scan the network for lateral movement as well as the rclone file syncing software to exfiltrate directories of interest to the MEGA cloud storage service.
It’s worth noting that the use of Atgera agent and netscan.exe has been previously attributed to ransomware operations like Conti and LockBit, suggesting that criminal actors are taking a leaf out of their playbook.
The findings come as researchers from Team Cymru shed more light on the BackConnect (BC) protocol used by IcedID to deliver additional functionality post compromise, including a VNC module that provides a remote-access channel.
“In the case of BC, there appears to be two operators managing the overall process within distinct roles,” the researchers noted last month, adding “much of the activity […] occurs during the typical working week.”
The development also follows a report from Proofpoint in November 2022 that a resurgence in Emotet activity has been linked to the distribution of a new version of IcedID.