IcedID Malware Let Attackers Compromise the Active Directory Domain

In a recent incident, within just 24 hours of initial access, the IcedID (aka BokBot) malware was used to successfully penetrate the Active Directory domain of an unnamed target. 

The attack employed tactics similar to those utilized by other groups, such as Conti, to achieve its objectives. IcedID is a type of malware that is specifically designed to steal financial information from its victims. 

It is often referred to as a banking trojan, as it is typically used to target individuals and organizations with the goal of stealing sensitive financial information such as:-

• Banking login credentials
• Credit card numbers
• Other personal information

IcedID typically spreads through phishing emails or malicious websites, and once it infects a victim’s device, it can gain access to sensitive information by capturing keystrokes, taking screenshots, and stealing data from the victim’s web browser. 

Once the malware has obtained the desired information, it can exfiltrate the data to the attackers’ command and control server, where it can be used for financial fraud or other malicious activities.

TA551 has been identified as the threat group associated with this malware since at least 2017 and has been active since then. 

A timeline that shows the various actions the attacker took during the investigation by the Cybereason team, is shown below:-

Deployment Mechanisms & Infection flow

There are a number of deployment mechanisms that have been observed, including:-

• The victim opens an archive.
• The victim clicks the ISO file, which creates a virtual disk.
• The victim navigates to the virtual disk and clicks the only file visible, which actually is an LNK file.
• LNK file runs a batch file which drops a DLL into a temporary folder and runs it with rundll32.exe.
• Rundll32.exe loads the DLL, which creates network connections to IcedID-related domains, downloading the IcedID payload.
• IcedID payload is loaded into the process.

Since Microsoft decided that it would block macros from Office files downloaded from the web, there have been an assortment of attacks involving the delivery of IcedID leveraging a variety of methods.

It then downloads a new payload for follow-on reconnaissance activity, including Cobalt Strike Beacon, via a scheduled task and establishes persistence on the host.

Additionally, it executes the same Cobalt Strike Beacon and installs an Atera agent on every workstation across the network. In the event that the attackers’ initial persistence mechanisms have been discovered and remedied, attackers can use IT tools like this to create a new ‘backdoor’ for themselves.

It is more likely that these tools will be overlooked as false positives by antivirus and endpoint detection and prevention software.

A C# tool called Rubeus is also downloaded through the Cobalt Strike Beacon in order to steal the credentials of the users. The attacker will then be able to move laterally to one of the Windows servers that has domain administrator rights and take over that server.

An attack on DCSync is then staged using the elevated permissions and the elevated permissions are weaponized.

A legitimate piece of software, named netscan[.]exe, was also included as part of the attack to scan the network in search of the lateral movement of the attacker.

As well as exfiltrating directories of interest to MEGA cloud storage, the attacker used rclone file synchronization software.

Recommendations

There are a number of measures that are suggested to help contain IcedID activity if it is observed in your environment:-

• Phishing email protection
• Warn your users against similar threats
• Disable disk image file auto-mounting
• Block compromised users
• Identify and block malicious network connections
• Reset Active Directory access
• Engage Incident Response

Network Security Checklist – Download Free E-Book