After this, the threat actors began their first lateral movement to a server in the environment by copying their Cobalt Strike DLL over to the host and executing it via a remote service. This was followed by a batch script used to perform DNS lookups on hosts across the environment. The threat actor then proceeded to exploit CVE-2020-1472 (ZeroLogon). After that, the threat actors tried a GetSystem privilege escalation technique, which was blocked by antivirus. The threat actor installed Atera and Splashtop remote access software via an MSI file. This led to another round of discovery using net followed by AdFind. Around 16 hours after the initial execution, the first Cobalt Strike beacon DLL was executed from the IcedID malware. Upon the execution of the IcedID payload, discovery commands using Windows utilities such as net, nltest, and ipconfig were executed to discover domain trusts, domain admins, workstation configuration, etc. A scheduled task was created at that time to maintain persistence on this host as well. Clicking on the LNK file executes the batch file, which copies the IcedID payload to the user’s AppData\Local\Temp folder and loads it using rundll32. After being successfully mounted (double clicked), the end user only sees a malicious LNK file named documents inside the virtual hard drive. The ISO image delivered a hidden directory containing a IcedID payload and a batch file. This technique has grown in use as threat actors look to evade Mark-of-the-Web controls. Delivering payloads using an ISO image is a common technique observed in several prior cases. The ISO file was delivered to the victim as part of a malspam campaign. This intrusion began by the execution of IcedID malware contained within an ISO image. This case shares similarities of the IcedID campaign detailed by, where the ADGet.exe application was referenced. Post exploitation activities detail some familiar and some new techniques and tooling, which led to domain wide ransomware. This case covers the activity from a campaign in late September of 2022. IcedID continues to deliver malspam emails to facilitate a compromise.
0 Comments
Leave a Reply. |