Rapid IcedID Malware Infection Stuns Researchers

How it begins

• The attack begins with an ISO file packed inside a ZIP archive. Opening the ISO file on the victim’s device creates a virtual disk.
• This virtual disk carries only one single file - an LNK file linked to a batch file.
• Upon execution, the batch file drops a DLL file and executes it with rundll32.exe. This established a connection with the IcedID-related domain, from where the IcedID payload is downloaded.

Picking up speed

• It creates a scheduled task that is meant to execute after every hour and every system reboot, adding to the malware persistence on the machine.
• Subsequent to establishing an initial foothold on the machine, a DLL file (cuaf.dll) is loaded which is originally a Cobalt Strike beacon. Simultaneously, it establishes a connection with a known C2 server.
• Within seven minutes of infection, the attackers could use the Cobalt Strike beacon to load the Rubeus tool used for interaction with Kerberos, along with Atera remote administration tool for creating an additional backdoor.
• In addition, the attackers used Cobalt strike to download additional tools, including net.exe, ping.exe, and nltest.exe, for reconnaissance.
• Within 15 min of infection, the malware starts moving laterally.

Moving laterally, gaining privileged access

• The same beacons were executed on all the workstations detected across the network.
• Within one hour of the initial infection, the attackers were observed performing lateral movement across the entire targeted network using Windows Management Instrumentation (WMI).
• Post gaining access to file servers, they elevated the access permissions to carry out a DCSync attack and successfully compromised the network domain within 19 hours of the initial attack.

Ending notes