IcedID to Cobalt Strike In Under 20 Minutes

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

• We identified IcedID malware attempting to load Cobalt Strike within 20 minutes of initial infection.
• As noted in the June 2021 TRU Positive, IcedID is a modular banking trojan and precursor to hands-on-intrusions and ransomware attacks.
• The incident started with the victim unwittingly mounting and executing the contents of an ISO file delivered through email.
  • This technique uses a disk image (.iso) containing a shortcut and hidden files. When clicked, the shortcut command uses the regsvr32 lolbin to execute the IcedID payload hidden within the mounted image container.
• Once executed, IcedID immediately performs discovery commands to capture the system, domain, and networking information. These are common commands executed by precursor malware and are likely used to prioritize footholds for further intrusion actions.
• Less than 20 minutes from initial infection, the host executed remote PowerShell commands to deploy a Cobalt Strike stager.

How did we find it?

• Our Machine Learning PowerShell classifier identified the malicious Cobalt Strike PowerShell command.
• MDR for Network disrupted and alerted on the IcedID C2 traffic.

What did we do?

• Our 24/7 SOC alerted the customer, and the host was contained.

What can you learn from this TRU positive?

• Ransomware precursor threats such as IcedID, Emotet and Qakbot must be identified and contained before the host is used as a foothold for further attacks.
• Adversaries are streamlining attacks to account for defender reaction times.
  • In December 2021, Emotet was observed directly deploying Cobalt Strike beacons to expedite intrusion actions. This was a departure from historical observations where malware such as Trickbot was deployed prior to Cobalt Strike.
  • IcedID has been documented loading Cobalt Strike as recently as January 2022.
  • In this case, the rapid deployment of Cobalt Strike stager suggests that an interactive intrusion was imminent.
• Adversaries are using alternative techniques (e.g., .iso containers) to macro-based execution in malicious documents.
  This is likely in response to Microsoft’s recent announcement of blocking macros by default in internet-sourced files starting in 2022.

Recommendations from our Threat Response Unit (TRU) Team:

Loader malware attempts to install other malware, so the priority should be to identify and investigate the presence of follow-on malware on systems. In addition, we recommend:

• Display file extensions for known file types and consider showing hidden files to users by default.
• Conduct Managed Phishing and Security Awareness Training on a regular basis. Warn users about the threat posed by scripts (e.g. JavaScript or VBScript) and image files (.iso) attached or linked in emails.
• Employ email filtering and protection measures.
  • Block or quarantine email attachments such as EXEs, Password Protected ZIPs, JavaScript, Visual Basic scripts.
  • Implement anti-spoofing measures such as DMARC and SPF.
  • Employ an MFA solution to reduce impact of compromised credentials.
  • Train users to identify and report suspicious emails.
• Protect endpoints against malware.
  • Ensure antivirus signatures are up-to-date.
  • Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
  • Limit or disable macros across the organization. See UK's National Cyber Centre guidance on Macro Security.

Ask Yourself…

1. Is your malware identification and remediation process agile enough to disrupt follow-on attacks stemming from loader malware?
2. What level of visibility do you have across your network, endpoint and overall environment to detect malicious behavior at scale?
3. What tools are you employing for email filtering and how is that activity monitored?
4. What level of managed endpoint support do you have in place?
5. Are you monitoring your endpoints 24/7 and what degree of control do you have to initiate a kill switch when required?

Indicators of Compromise

If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.

Want to learn more? Connect with an eSentire Security Specialist.