IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
June 10, 2024, 11:31 a.m.
Description
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT, for credential access and lateral movement. Over eight days, the adversary methodically moved across the network, collecting data before ultimately deploying ALPHV ransomware on multiple hosts.
Tags
Date
- Created: June 10, 2024, 11:03 a.m.
- Published: June 10, 2024, 11:03 a.m.
- Modified: June 10, 2024, 11:31 a.m.
Indicators
- fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
- dfa8c282178a509346fb0154e6dbd5fbb0b56c38894ce7d244f5ca26d6820e67
- d8f51dcfe928a1674e8d88029a404005ab826527372422cac24c81467440feb0
- cd0e941587672ab1517681a7e3b4f93a00020f8c8c8479a76b9e3555bcd04121
- c2ddb954877dcfbb62fd615a102ce5fa69f4525abc1884e8fe65b0c2b120cfd4
- bd4876f7efbd18a03bbb401a5dc77ed68ef95c72a3f7be83cef39a4515e0c476
- bc49622009b29c23ee762fe6f000936eb1c4c1b29496d5382f175c99ad941aac
- 9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
- 94d6395dcab01250650e884f591956464d582a4f1f5da948055e6d2f0a215ace
- 6f3a02674b6bbf05af8a90077da6e496cc47dda9101493b8103f0f2b4e4fd958
- 7d2e705dcaa9f36fb132b7ff329f61dd5d0393c28dcd53b2be1e3ba85c633360
- 6a6cd64fba34aadad2df808b0fcab89ef26a897040268b24fed694036cc51d6a
- 5d1817065266822df9fa6e8c5589534e031bb6a02493007f88d51a9cfb92e89b
- 5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf
- 457a2f29d395c04a6ad6012fab4d30e04d99d7fc8640a9ee92e314185cc741d3
- 3336bfde9b6b8ef05f1d704d247a1a8fd0641afaecc6a71f5cfa861234c4317b
- 4103cc8017409963b417c87259af2a955653567cdbf7d5504198dd350f9ef9c1
- e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c
- 94.232.46.27
- 92.118.112.113
- 77.105.140.181
- 212.18.104.12
- 173.255.204.62
- 109.236.80.191
- 85.209.11.48
- 77.105.142.135
- 217.23.12.8
- skrechelres.com
- jkbarmossen.com
- hofsaalos.com
- evinakortu.com
- modalefastnow.com
- jerryposter.com
Attack Patterns
- CSharp Streamer
- BlackCat - S1068
- Noberus
- ALPHV
- IcedID - S0483
- Cobalt Strike - S0154
- T1043
- T1069.002
- T1003.006
- T1218.010
- T1087.001
- T1003.001
- T1039
- T1078.002
- T1569.002
- T1021.001
- T1135
- T1053.005
- T1482
- T1197
- T1560.001
- T1087.002
- T1218.011
- T1059.005
- T1018
- T1059.003
- T1059.001
- T1213
- T1071.001
- T1070.004
- T1204.002
- T1486
- T1016
- T1082
- T1083
- T1020
- T1219
- T1033
- T1566