IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

June 10, 2024, 11:31 a.m.

Description

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT, for credential access and lateral movement. Over eight days, the adversary methodically moved across the network, collecting data before ultimately deploying ALPHV ransomware on multiple hosts.

Date

  • Created: June 10, 2024, 11:03 a.m.
  • Published: June 10, 2024, 11:03 a.m.
  • Modified: June 10, 2024, 11:31 a.m.

Indicators

  • fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
  • dfa8c282178a509346fb0154e6dbd5fbb0b56c38894ce7d244f5ca26d6820e67
  • d8f51dcfe928a1674e8d88029a404005ab826527372422cac24c81467440feb0
  • cd0e941587672ab1517681a7e3b4f93a00020f8c8c8479a76b9e3555bcd04121
  • c2ddb954877dcfbb62fd615a102ce5fa69f4525abc1884e8fe65b0c2b120cfd4
  • bd4876f7efbd18a03bbb401a5dc77ed68ef95c72a3f7be83cef39a4515e0c476
  • bc49622009b29c23ee762fe6f000936eb1c4c1b29496d5382f175c99ad941aac
  • 9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
  • 94d6395dcab01250650e884f591956464d582a4f1f5da948055e6d2f0a215ace
  • 6f3a02674b6bbf05af8a90077da6e496cc47dda9101493b8103f0f2b4e4fd958
  • 7d2e705dcaa9f36fb132b7ff329f61dd5d0393c28dcd53b2be1e3ba85c633360
  • 6a6cd64fba34aadad2df808b0fcab89ef26a897040268b24fed694036cc51d6a
  • 5d1817065266822df9fa6e8c5589534e031bb6a02493007f88d51a9cfb92e89b
  • 5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf
  • 457a2f29d395c04a6ad6012fab4d30e04d99d7fc8640a9ee92e314185cc741d3
  • 3336bfde9b6b8ef05f1d704d247a1a8fd0641afaecc6a71f5cfa861234c4317b
  • 4103cc8017409963b417c87259af2a955653567cdbf7d5504198dd350f9ef9c1
  • e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c
  • 94.232.46.27
  • 92.118.112.113
  • 77.105.140.181
  • 212.18.104.12
  • 173.255.204.62
  • 109.236.80.191
  • 85.209.11.48
  • 77.105.142.135
  • 217.23.12.8
  • skrechelres.com
  • jkbarmossen.com
  • hofsaalos.com
  • evinakortu.com
  • modalefastnow.com
  • jerryposter.com

Attack Patterns

  • CSharp Streamer
  • BlackCat - S1068
  • Noberus
  • ALPHV
  • IcedID - S0483
  • Cobalt Strike - S0154
  • T1043
  • T1069.002
  • T1003.006
  • T1218.010
  • T1087.001
  • T1003.001
  • T1039
  • T1078.002
  • T1569.002
  • T1021.001
  • T1135
  • T1053.005
  • T1482
  • T1197
  • T1560.001
  • T1087.002
  • T1218.011
  • T1059.005
  • T1018
  • T1059.003
  • T1059.001
  • T1213
  • T1071.001
  • T1070.004
  • T1204.002
  • T1486
  • T1016
  • T1082
  • T1083
  • T1020
  • T1219
  • T1033
  • T1566