Malware Attack Utilizing IcedID Compromises Active Directory Domain
A recent incident involving IcedID malware has raised significant alarms within the cybersecurity community, highlighting the persistent threat posed by sophisticated attacks. Within just 24 hours of gaining initial access, the threat actor successfully compromised the Active Directory domain of an unidentified target. Notably, the attacker employed techniques reminiscent of notorious hacking groups such as Conti.
The attack pattern revealed by researchers at Cybereason outlines a systematic approach encompassing multiple phases. The initial breach began with reconnaissance commands, followed by credential theft and lateral movement through the exploitation of Windows protocols. Utilizing Cobalt Strike on newly compromised hosts, the attacker executed a strategic progression that enabled them to expand their foothold within the network.
Originally surfacing in 2017 as a banking trojan, IcedID, also referred to as BokBot, has since evolved into a versatile malware dropper. It now finds itself in the ranks alongside other malicious software like Emotet and TrickBot, increasingly diversifying its capabilities for broader operational impacts. The malware’s evolution reflects a shift in tactics, especially following Microsoft’s recent move to block macros from downloadable Office files, prompting hackers to explore various new delivery methods.
Researchers highlighted that the attack’s infection chain commenced with an ISO image file embedded in a ZIP archive, culminating in the execution of the IcedID payload. Following this initial compromise, the malware accomplished persistence through a scheduled task and connected to a remote server, downloading additional payloads, including the Cobalt Strike Beacon for further reconnaissance.
The attacker furthered their lateral movement within the network, deploying the same Cobalt Strike Beacon across multiple workstations. In a calculated maneuver, they introduced an Atera agent—an ostensibly legitimate remote administration tool—creating an additional backdoor for future access. This strategy is particularly concerning as such tools are less likely to trigger alarms and can easily be misidentified as benign by security solutions.
In the continuation of this breach, the Cobalt Strike Beacon served as a vehicle to deploy a C# utility named Rubeus, which facilitated credential theft and allowed the attacker to gain lateral access to a Windows Server with domain admin protections. These elevated privileges were weaponized to execute a DCSync attack, simulating the behavior of a domain controller and enabling the retrieval of credentials from other domain controllers.
The attacker further utilized tools such as netscan.exe to facilitate lateral movement and rclone software to exfiltrate sensitive data to the MEGA cloud storage service. Notably, the integration of tools like the Atera agent and netscan.exe has been previously linked to ransomware operations such as Conti and LockBit, indicating a blend of tactics borrowed from historical ransomware playbooks.
Furthermore, research from Team Cymru sheds light on the BackConnect protocol utilized by IcedID to deliver additional functionalities post-compromise, including a VNC module that provides remote access. This aspect underscores the sophisticated tactics employed, with distinct operators managing the processes behind the scenes.
As the landscape of cyber threats continues to evolve, the resurgence of IcedID, paired with other malware like Emotet, underlines a pressing need for heightened vigilance among business owners. Understanding the potential tactics within the MITRE ATT&CK framework—ranging from initial access to privilege escalation—can empower organizations to bolster their defenses against such sophisticated cyber risks.
