A recent IcedID malware attack allowed the threat actor to compromise an Active Directory domain in less than 24 hours, according to new reports. The threat actor was able to go from initial access on an end-user system to Domain Admin on a Windows server at an alarming rate.
The attack started out with a phishing email containing a ZIP file with a malicious ISO within. Once the contents of the ISO were executed, the main IcedID payload was launched, which established persistence on the host via a scheduled task and downloaded and executed a Cobalt Strike beacon. From there, lateral movement across the network was performed, executing the same Cobalt Strike beacon on each new system, alongside the Atera agent for redundancy. At one point, the tool Rubeus was downloaded to enable credential theft, which allowed the threat actor to move to a Windows server utilizing Domain Admin privileges. This elevated level of access allowed the threat actors to utilize a DCSync attack, allowing them to retrieve credential hashes for all users in the domain. From here, the threat actors have access to the entire domain, effectively compromising the entire network.
The threat actors were also seen using other legitimate tools, such as netscan.exe to scan for lateral movement targets and the rclone file syncing utility to exfiltrate interesting directories to the MEGA cloud storage platform.
Since the initial infection vector relates to a phishing email containing a malicious ZIP file, it is recommended to implement and maintain proper email security controls. Email security controls, such as AV scanning and sandboxing, can help prevent phishing emails from reaching end users, thus potentially preventing the malware from infecting a workstation, to begin with. It is also recommended to maintain appropriate endpoint security controls. Most of the behaviors exhibited by this attack post-compromise would be considered suspicious activity, so it is likely that most EDRs would be able to prevent certain aspects of the attack from occurring. Likewise, the attack uses common tooling, like Cobalt Strike and Rubeus, that most EDRs would likely prevent from executing in the first place. In cases where prevention did not occur, detection would help to alert the organization to a potential compromise within the environment. Most of the initial infection vector and the post-compromise activity can be alerted upon with the appropriate logging in place. An activity like a DLL being copied from an ISO to the TEMP directory, rundll32.exe creating a scheduled task, regsvr32.exe making network callouts, Atera agents being installed on devices in an unauthorized manner, and rclone.exe being used to connect to the MEGA cloud storage service are all suspicious behaviors that can be monitored for and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
Sources: https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html?m=1 https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise