IcedID Malware Compromised Active Directory Domain in Less Than a Day
In a recent IcedID malware attack, the perpetrator compromised the Active Directory domain of the victim in less than 24 hours, transiting from initial infection to lateral movement in fewer than 60 minutes.
The attacker followed a “routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike” on the compromised machine, Cybereason said in a blog post. Exfiltration of the victim’s data started two days after initial infection.
Malware Targets Financial Info
IcedID, also known as BokBot, is commonly known as a banking trojan used to steal financial information from its victims since 2017 and has been tied to the threat group TA551. Most recently, IcedID has been used as a dropper for other malware families and a tool for initial access brokers, Cybereason said.
The attackers borrowed some tactics, techniques and procedures (TTP) from other groups, Cybereason said, pointing to “several” of the TTPs it saw in IcedID attacks that had been attributed to Conti, Lockbit, FiveHands and others.
“Not only does this show a trend towards attackers sharing ideas across groups, but this also demonstrates how the ability to detect the techniques and tactics of one group can be applied to detecting others,” Cybereason said.
The deployment mechanisms observed during this case:
- Victim opens an archive.
- Victim clicks the ISO file, which creates a virtual disk.
- Victim navigates to the virtual disk and clicks the only file visible, which actually is an LNK file.
- LNK file runs a batch file which drops a DLL into a temporary folder and runs it with rundll32.exe.
- Rundll32.exe loads the DLL, which creates network connections to IcedID-related domains, downloading the IcedID payload.
- IcedID payload is loaded into the process.
How to Protect Your Organization
Cybereason provided the following recommendations for organizations to protect themselves:
- Phishing email protection. If possible, block or quarantine password-protected zip files in your email gateway.
- Warn your users against similar threats. Use caution when handling files that are out of the ordinary and from the internet (ex – ISO and LNK files).
- Disable disk image file auto-mounting. To avoid this infection technique to succeed, please consider disabling auto-mounting of disk image files (mainly, .iso, .img, .vhd, and .vhdx) globally through GPOs.
- Block compromised users. Block users whose machines were involved in the attack, in order to stop or at least slow down attacker propagation over the network.
- Identify and block malicious network connections. Identify network flows toward malicious IPs or domains identified in the reports and block connections to stop the attacker from controlling the compromised machines.
- Reset Active Directory access. If Domain Controllers (DCs) were accessed by the attacker and potentially all accounts have been stolen, it is recommended that, when rebuilding the network, all AD accesses are reset.
- Engage Incident Response. It is important to investigate the actions of the attacker thoroughly to ensure you’ve not missed any activity and you’ve patched everything that needs to be patched.
- Cleanse compromised machines. Isolate and re-image all infected machines, to limit the risk of a second compromise or the attacker getting subsequent access to the network.