Back

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

June 10, 2024, 11:31 a.m.

Tags

backdoor
rat
ransomware
blackcat
alphv
cobalt strike
icedid
exfiltration
2024-06-10
noberus
csharp streamer

External References

https://thedfirreport.com/

https://otx.alienvault.com/

Description

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT, for credential access and lateral movement. Over eight days, the adversary methodically moved across the network, collecting data before ultimately deploying ALPHV ransomware on multiple hosts.

Date

Published Created Modified
June 10, 2024, 11:03 a.m. June 10, 2024, 11:03 a.m. June 10, 2024, 11:31 a.m.

Indicators

fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d

dfa8c282178a509346fb0154e6dbd5fbb0b56c38894ce7d244f5ca26d6820e67

d8f51dcfe928a1674e8d88029a404005ab826527372422cac24c81467440feb0

cd0e941587672ab1517681a7e3b4f93a00020f8c8c8479a76b9e3555bcd04121

c2ddb954877dcfbb62fd615a102ce5fa69f4525abc1884e8fe65b0c2b120cfd4

bd4876f7efbd18a03bbb401a5dc77ed68ef95c72a3f7be83cef39a4515e0c476

bc49622009b29c23ee762fe6f000936eb1c4c1b29496d5382f175c99ad941aac

9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f

94d6395dcab01250650e884f591956464d582a4f1f5da948055e6d2f0a215ace

6f3a02674b6bbf05af8a90077da6e496cc47dda9101493b8103f0f2b4e4fd958

7d2e705dcaa9f36fb132b7ff329f61dd5d0393c28dcd53b2be1e3ba85c633360

6a6cd64fba34aadad2df808b0fcab89ef26a897040268b24fed694036cc51d6a

5d1817065266822df9fa6e8c5589534e031bb6a02493007f88d51a9cfb92e89b

5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf

457a2f29d395c04a6ad6012fab4d30e04d99d7fc8640a9ee92e314185cc741d3

3336bfde9b6b8ef05f1d704d247a1a8fd0641afaecc6a71f5cfa861234c4317b

4103cc8017409963b417c87259af2a955653567cdbf7d5504198dd350f9ef9c1

e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c

94.232.46.27

92.118.112.113

77.105.140.181

212.18.104.12

173.255.204.62

109.236.80.191

85.209.11.48

77.105.142.135

217.23.12.8

Attack Patterns

CSharp Streamer

BlackCat - S1068

Noberus

ALPHV

IcedID - S0483

Cobalt Strike - S0154

T1043

T1069.002

T1003.006

T1218.010

T1087.001

T1003.001

T1039

T1078.002

T1569.002

T1021.001

T1135

T1053.005

T1482

T1197

T1560.001

T1087.002

T1218.011

T1059.005

T1018

T1059.003

T1059.001

T1213

T1071.001

T1070.004

T1204.002

T1486

T1016

T1082

T1083

T1020

T1219

T1033

T1566