Security News > 2023 > January > IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.

"Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers said in a report published this week.

Attacks involving the delivery of IcedID have leveraged a variety of methods, especially in the wake of Microsoft's decision to block macros from Office files downloaded from the web.

The intrusion detailed by Cybereason is no different in that the infection chain begins with an ISO image file contained within a ZIP archive that culminates in the execution of the IcedID payload. The malware then establishes persistence on the host via a scheduled task and communicates with a remote server to download additional payloads, including Cobalt Strike Beacon for follow-on reconnaissance activity.

The elevated permissions are then weaponized to stage a DCSync attack, allowing the adversary to simulate the behavior of a domain controller and retrieve credentials from other domain controllers.

The findings come as researchers from Team Cymru shed more light on the BackConnect protocol used by IcedID to deliver additional functionality post compromise, including a VNC module that provides a remote-access channel.

News URL

https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html