Cybereason, the XDR company, today issued a report with the results of its investigation into IcedID malware, linked to the threat group TA155. Developed in 2017, IcedID is historically known as a banking trojan used to steal financial information from its victims. Recently, IcedID has been used as a dropper for other malware families and as a tool for initial access brokers.
Cybereason’s security analysts discovered the following key findings:
--Fast Moving: The attackers went from initial infection to lateral movement in less than an hour. The Active Directory domain was compromised in less than 24 hours.
- --Standardized Attack Flow: Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host. This activity is explained in more detail in the Lateral Movement section below.
-
- --Techniques Borrowed From Other Groups: Several of the TTPs we observed have also been found in attacks attributed to Conti, Lockbit, FiveHands, and others. Not only does this show a trend towards attackers sharing ideas across groups, but this also demonstrates how the ability to detect the techniques and tactics of one group can be applied to detecting others.
-
- --Change of Initial Infection Vector: In previous campaigns, attackers delivered IcedID through phishing with malicious macros in documents. With the recent changes Microsoft has implemented, attackers are using ISO and LNK files to replace macros. The behavior illustrated in this article confirms that trend.
-
Cybereason offers the following recommendations to help organizations reduce the risks associated with IcedID:
- --Phishing email protection: If possible, block or quarantine password-protected zip files in your email gateway.
-
- --Warn your users against similar threats: Use caution when handling files that are out of the ordinary and from the internet (ex - ISO and LNK files).
-
- --Block compromised users: Block users whose machines were involved in the attack, in order to stop or at least slow down attacker propagation over the network.
-
- --Identify and block malicious network connections: Identify network flows toward malicious IPs or domains identified in the reports and block connections to stop the attacker from controlling the compromised machines.
-
- --Reset Active Directory access: If Domain Controllers (DCs) were accessed by the attacker and potentially all accounts have been stolen, it is recommended that, when rebuilding the network, all AD accesses are reset.
-
- --Engage Incident Response: It is important to investigate the actions of the attacker thoroughly to ensure you’ve not missed any activity and you’ve patched everything that needs to be patched.
About Cybereason
Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason Defense Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.
Media contact:
Bill Keeler
Senior Director, Global Public Relations
Cybereason
bill.keeler@cybereason.com
+1 (929) 259-3261