IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

June 10, 2024, 11:31 a.m.

Description

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT, for credential access and lateral movement. Over eight days, the adversary methodically moved across the network, collecting data before ultimately deploying ALPHV ransomware on multiple hosts.

External References

https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/
https://otx.alienvault.com/pulse/6666dd884a5155bce8735a6a
Tags
backdoor
rat
ransomware
blackcat
alphv
cobalt strike
icedid
exfiltration
2024-06-10
noberus
csharp streamer

Date

  • Created: June 10, 2024, 11:03 a.m.
  • Published: June 10, 2024, 11:03 a.m.
  • Modified: June 10, 2024, 11:31 a.m.

Indicators

  • fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
  • dfa8c282178a509346fb0154e6dbd5fbb0b56c38894ce7d244f5ca26d6820e67
  • d8f51dcfe928a1674e8d88029a404005ab826527372422cac24c81467440feb0
  • cd0e941587672ab1517681a7e3b4f93a00020f8c8c8479a76b9e3555bcd04121
  • c2ddb954877dcfbb62fd615a102ce5fa69f4525abc1884e8fe65b0c2b120cfd4
  • bd4876f7efbd18a03bbb401a5dc77ed68ef95c72a3f7be83cef39a4515e0c476
  • bc49622009b29c23ee762fe6f000936eb1c4c1b29496d5382f175c99ad941aac
  • 9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
  • 94d6395dcab01250650e884f591956464d582a4f1f5da948055e6d2f0a215ace
  • 6f3a02674b6bbf05af8a90077da6e496cc47dda9101493b8103f0f2b4e4fd958
  • 7d2e705dcaa9f36fb132b7ff329f61dd5d0393c28dcd53b2be1e3ba85c633360
  • 6a6cd64fba34aadad2df808b0fcab89ef26a897040268b24fed694036cc51d6a
  • 5d1817065266822df9fa6e8c5589534e031bb6a02493007f88d51a9cfb92e89b
  • 5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf
  • 457a2f29d395c04a6ad6012fab4d30e04d99d7fc8640a9ee92e314185cc741d3
  • 3336bfde9b6b8ef05f1d704d247a1a8fd0641afaecc6a71f5cfa861234c4317b
  • 4103cc8017409963b417c87259af2a955653567cdbf7d5504198dd350f9ef9c1
  • e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c
  • 94.232.46.27
  • 92.118.112.113
  • 77.105.140.181
  • 212.18.104.12
  • 173.255.204.62
  • 109.236.80.191
  • 85.209.11.48
  • 77.105.142.135
  • 217.23.12.8
  • skrechelres.com
  • jkbarmossen.com
  • hofsaalos.com
  • evinakortu.com
  • modalefastnow.com
  • jerryposter.com
Download all indicators here!

Attack Patterns

  • CSharp Streamer
  • BlackCat - S1068
  • Noberus
  • ALPHV
  • IcedID - S0483
  • Cobalt Strike - S0154
  • T1043
  • T1069.002
  • T1003.006
  • T1218.010
  • T1087.001
  • T1003.001
  • T1039
  • T1078.002
  • T1569.002
  • T1021.001
  • T1135
  • T1053.005
  • T1482
  • T1197
  • T1560.001
  • T1087.002
  • T1218.011
  • T1059.005
  • T1018
  • T1059.003
  • T1059.001
  • T1213
  • T1071.001
  • T1070.004
  • T1204.002
  • T1486
  • T1016
  • T1082
  • T1083
  • T1020
  • T1219
  • T1033
  • T1566