New research from Cybereason exposes how fast cybercriminals can be when it comes to exploit an initial infection obtained on a corporate user.
SEE: Mobile device security policy (TechRepublic Premium)
Jump to:
- What is the IcedID malware threat?
- IcedID: Initial point of compromise
- The banking Trojan’s accelerated attack timeline
- How the malware steals your data
- How to protect your organization from this threat
What is the IcedID malware threat?
IcedID is a banking Trojan that has been actively used by cybercriminals since 2017 and shared part of its code with another widely used malware family known as Pony, whose source code leaked in 2015.
While mostly distributed via spam emails built to infect users, IcedID was also delivered in the beginning of 2023 by a phishing campaign pretending to spread a Zoom software update.
IcedID has also frequently been distributed as payload, spread by the infamous Emotet and Trickbot infrastructure, and to run ransomware attacks, as exposed by the FBI.
IcedID: Initial point of compromise
In this attack campaign, users receive and open a password protected archive containing an ISO file. Once the ISO file is clicked on, it creates a virtual disk. If the user navigates and clicks on the only visible file, a Link File Format file, the LNK file starts the infection process by launching a batch file.
This drops a Dynamic Link Library file that is executed in a temporary directory. The DLL file then downloads the IcedID payload from a remote server and loads the payload into the process (Figure A).
Figure A
The malware then uses the legitimate net.exe binary from the infected system to collect information about the domain, workstation and members of the Domains Admins group.
Persistence is established by creating a scheduled task on the computer, which executes the malware every hour and at each logon operation.
The banking Trojan’s accelerated attack timeline
Cybereason researchers exposed how fast cybercriminals can be when it comes to exploiting initial access to a company.
Once the initial IcedID infection is done, an interactive command line (cmd.exe) session is started, which downloads additional files on the infected system. Seven minutes after the initial infection, a Cobalt Strike beacon is used on the infected computer. The Cobalt Strike code loads Rubeus, a tool designed for Kerberos interaction and abuse, which also collects more network data from the system. Attackers obtain the credentials of a service account via Kerberoasting, a known technique based on abusing valid Kerberos tickets, 15 minutes after the initial infection.
57 minutes after the infection, the lateral movement operation starts. The attacker uses the legitimate command line tool ping.exe from the system to check if the host is alive, then executes the same Cobalt Strike payload on the remote workstation via wmic.exe. That process is repeated several times, each time bouncing on a different endpoint or server. Large portions of the network infrastructure are scanned.
A DCSync attack is performed 19 hours after the initial compromise. This technique allows an attacker to impersonate a domain controller to obtain password hashes from other domain controllers, enabling the attacker to increase their foothold on every domain of the targeted company.
Shortly before the exfiltration starts and 46 hours after the initial infection, the attackers deploy the legitimate Atera remote administration tool on several different machines. The implementation of that tool on several computers allows the attackers to come back to the system even if the IcedID malware is discovered and computers are cleaned from it.
How the malware steals your data
The IcedID malware hooks into several Internet browsers to steal credentials, session cookies and saved information. In addition, the attackers used the legitimate rclone fine syncing tool to encrypt and send several directories they chose to the Mega file sharing service. This data exfiltration starts roughly 50 hours after the initial compromise.
Cybereason shows how fast threat actors can be when it comes to moving laterally on different computers within a target network and exfiltrating data from them. While several of the reported techniques can be done automatically without human intervention, the lateral movements and the exfiltration stages need more human power. It is concerning to see that a threat actor can do all of this in only 50 hours.
The report notes the final step is data exfiltration, but the attack could easily lead to a ransomware demand. The tooling and TTP described by Cybereason is reminiscent of the OnePercent group, which used IcedID, Cobalt Strike, PowerShell and Rclone in a manner similar to the actions documented in this report.
How to protect your organization from this threat
Have all operating systems and software up to date and patched to prevent any compromise via the use of a common vulnerability. Do not allow users on the network to open any ISO files unless strictly needed by users. That file type should only be allowed for administrators.
Finally, security solutions need to be deployed on all endpoints and servers to detect suspicious behavior. Security awareness should be provided to all employees, especially on email threats, which is still the most prevalent initial infection vector.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.