From IcedID to Dagon Locker Ransomware in 29 Days

May 1, 2024, 11:05 p.m.

Tags
powershell
cobalt strike
anydesk
icedid
adfind
rclone
shell
encrypted
discovery
domain account
access token
manipulation
utility
modify system
aws collector
prometheustds
seatbelt
sharefinder
External References
Description

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.

Date

Published: April 29, 2024, 5:23 p.m.

Created: April 29, 2024, 5:23 p.m.

Modified: May 1, 2024, 11:05 p.m.

Indicators

f6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4

a0191a300263167506b9b5d99575c4049a778d1a8ded71dcb8072e87f5f0bbcf

9da84133ed36960523e3c332189eca71ca42d847e2e79b78d182da8da4546830

839cf7905dc3337bebe7f8ba127961e6cd40c52ec3a1e09084c9c1ccd202418e

65edf9bc2c15ef125ff58ac597125b040c487640860d84eea93b9ef6b5bb8ca6

332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953

87.251.67.168

51.89.133.3

45.15.161.97

194.58.68.187

159.89.124.188

151.236.9.176

151.236.9.166

159.223.95.82

143.110.245.38

23.159.160.88

http://87.251.67.168:443

http://194.58.68.187:443

http://159.89.124.188:443

http://159.223.95.82:443

http://151.236.9.176:443

http://151.236.9.166:443

http://143.110.245.38:443

winupdate.us.to

ultrascihictur.com

rpgmagglader.com

restohalto.site

patricammote.com

oopscokir.com

moashraya.com

magiraptoy.com

fraktomaam.com

ewacootili.com

Download all indicators here!

Attack Patterns

IcedID

Cobalt Strike

T1069

T1039

T1135

T1490

T1482

T1124

T1136

T1567

T1614

T1552

T1087

T1021

T1573

T1489

T1486

T1218

T1082

T1105

T1083

T1071

T1047

T1055

T1020

T1219

T1134

T1204

T1033

T1027

T1560

T1053

T1562

T1003

T1059