From IcedID to Dagon Locker Ransomware in 29 Days

May 1, 2024, 11:05 p.m.

Description

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.

External References

https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
https://otx.alienvault.com/pulse/662fd7af0f52921e75d889de
Tags
powershell
cobalt strike
anydesk
icedid
adfind
rclone
shell
encrypted
discovery
domain account
access token
manipulation
utility
modify system
aws collector
prometheustds
seatbelt
sharefinder

Date

  • Created: April 29, 2024, 5:23 p.m.
  • Published: April 29, 2024, 5:23 p.m.
  • Modified: May 1, 2024, 11:05 p.m.

Indicators

  • f6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4
  • a0191a300263167506b9b5d99575c4049a778d1a8ded71dcb8072e87f5f0bbcf
  • 9da84133ed36960523e3c332189eca71ca42d847e2e79b78d182da8da4546830
  • 839cf7905dc3337bebe7f8ba127961e6cd40c52ec3a1e09084c9c1ccd202418e
  • 65edf9bc2c15ef125ff58ac597125b040c487640860d84eea93b9ef6b5bb8ca6
  • 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953
  • 87.251.67.168
  • 51.89.133.3
  • 45.15.161.97
  • 194.58.68.187
  • 159.89.124.188
  • 151.236.9.176
  • 151.236.9.166
  • 159.223.95.82
  • 143.110.245.38
  • 23.159.160.88
  • http://87.251.67.168:443
  • http://194.58.68.187:443
  • http://159.89.124.188:443
  • http://159.223.95.82:443
  • http://151.236.9.176:443
  • http://151.236.9.166:443
  • http://143.110.245.38:443
  • winupdate.us.to
  • ultrascihictur.com
  • rpgmagglader.com
  • restohalto.site
  • patricammote.com
  • oopscokir.com
  • moashraya.com
  • magiraptoy.com
  • fraktomaam.com
  • ewacootili.com
Download all indicators here!

Attack Patterns

  • IcedID
  • Cobalt Strike