In a recent IcedID campaign, the blazing speed of movement of the attackers has taken researchers by surprise. The attackers started a lateral movement within the infected network within one hour of infection and compromised the Active Directory of an unknown target within 24 hours.
How it begins
According to Cybereason researchers, the attackers used ISO and LNK files instead of traditional phishing-based attacks that delivered macro-based documents.
The attack begins with an ISO file packed inside a ZIP archive. Opening the ISO file on the victim’s device creates a virtual disk.
This virtual disk carries only one single file - an LNK file linked to a batch file.
Upon execution, the batch file drops a DLL file and executes it with rundll32.exe. This established a connection with the IcedID-related domain, from where the IcedID payload is downloaded.
Picking up speed
Within a few minutes of infection, the attacker scans the entire network via net.exe to gather information about the domain, members of the admin group, and the workstation.
It creates a scheduled task that is meant to execute after every hour and every system reboot, adding to the malware persistence on the machine.
Subsequent to establishing an initial foothold on the machine, a DLL file (cuaf.dll) is loaded which is originally a Cobalt Strike beacon. Simultaneously, it establishes a connection with a known C2 server.
Within seven minutes of infection, the attackers could use the Cobalt Strike beacon to load the Rubeus tool used for interaction with Kerberos, along with Atera remote administration tool for creating an additional backdoor.
In addition, the attackers used Cobalt strike to download additional tools, including net.exe, ping.exe, and nltest.exe, for reconnaissance.
Within 15 min of infection, the malware starts moving laterally.
Moving laterally, gaining privileged access
The attackers, in this incident, stole the credential of a service account of the target via Kerberoasting and moved laterally to an internal Windows Server where the Cobalt Strike beacon was deployed.
The same beacons were executed on all the workstations detected across the network.
Within one hour of the initial infection, the attackers were observed performing lateral movement across the entire targeted network using Windows Management Instrumentation (WMI).
Post gaining access to file servers, they elevated the access permissions to carry out a DCSync attack and successfully compromised the network domain within 19 hours of the initial attack.
Other tools used during the attack include the Netscan utility (to scan the network), Rclone (for directory exfiltration), and MEGA cloud storage to sync several directories.
Ending notes
The rapid speed of the entire operation and the use of legitimate tools allowed IcedID to dodge several security barriers. For protection against such attacks, experts recommend the use of both signature-based and behavior-based anti-malware solutions. Moreover, due to the increase in ISO-based attacks, it is important to disable the auto-mounting of disk image files on the devices.