Cyber Siege: IcedID to Dagon Locker in 29 Days – Unveiling a Stealthy Network Intrusion

Phishers Go Phishing: How IcedID Reeled In a Network in Just 29 Days

In the cybercrime sea, a new phish has surfaced and it’s a catch! IcedID malware went on a phishing spree using clever tricks to distribute Cobalt Strike faster than you can say “byte me”. The result? A network netted in just 29 days. Hook, line, and sinker! 🎣💻🔒 #IcedID #CyberSecurityCatch

Hot Take:

Just when you thought your digital life was as frozen as a pizza in an Antarctic research station, along comes a cyber saga spicier than a ghost pepper! In this episode, our cyber-ninjas didn’t just throw a phishing line—they cast a whole darn net with PrometheusTDS, serving up a malware cocktail with a twist of IcedID and a splash of Cobalt Strike. These keyboard warriors wielded PowerShell like a samurai sword, slicing through Group Policy like butter, and proved that in the cyber realm, 29 days is all it takes to go from “Hello, World!” to “Goodbye, World!” as they unleashed ransomware Armageddon. Buckle up, buttercup, it’s going to be a bumpy ride!

Key Points:

  • A phishing fiesta kicked things off, where unsuspecting clickers were lured into a fake Azure portal and ended up downloading a side of IcedID malware.
  • To keep the party going, the malware set up shop with scheduled tasks, ensuring the hangover, aka persistence, would last through many reboots.
  • With the grace of a cat burglar, the attackers used AWScollector to snoop around, swipe data, and set the stage for a ransomware rave.
  • Group Policy became the attackers’ playground, where they doled out Cobalt Strike beacons like party favors to privileged user groups.
  • After a 29-day cyber bender, the attackers unleashed Dagon Locker ransomware, turning the victim’s digital domain into a dystopian wasteland.

Need to know more?

A Phishy Start to a Malware Marathon

Our tale begins with a phishing expedition that would make Hemingway proud. The attackers cast their line with a bogus Azure portal and reeled in victims with a JavaScript file that was more malicious than an expired can of tuna. This devious file had a secret recipe: it downloaded IcedID malware, which then snuggled into the system with a scheduled task, as cozy as a cat in a sunbeam.

The Power(play)Shell of Evil

The malware wasn’t content with just a foothold; it wanted the whole leg. So it executed a Cobalt Strike beacon, which is like sending up the Bat-Signal for hackers. They then used their homemade AWScollector tool as a Swiss Army knife of cybercrime, performing digital gymnastics from discovery to data heist.

Group Policy Hijinks

These cyber jesters turned Group Policy into their personal puppet, using it to distribute Cobalt Strike beacons like a magician pulling rabbits out of a hat. This allowed them to sprinkle their malicious confetti onto specific privileged users at every login, turning the network into a never-ending surprise party.

The Ransomware Finale

Like any good party, this one had to end at some point. And boy, did it go out with a bang! After nearly a month of fun and games, the attackers deployed the Dagon Locker ransomware, which is essentially the equivalent of flipping the game board and storming off. The victim’s network was encrypted faster than you can say “What’s the ransom note say?” leaving a digital disaster zone in its wake.

The Cybersecurity Hangover

As the dust settled and the digital hangover began, we were left with a reminder that the cyber world is wilder than a rodeo on Mars. With a Time to Ransomware (TTR) of just 29 days, this case is a wake-up call that when it comes to cybersecurity, you snooze, you lose… and sometimes, you get ransomed.

Tags: AWScollector, Cobalt Strike, Dagon Locker, Data Exfiltration, IcedID, lateral movement, phishing, PowerShell, PrometheusTDS, ransomware