www.fortify24x7.com
Open in
urlscan Pro
2606:4700:20::ac43:46bc
Public Scan
URL:
https://www.fortify24x7.com/2021/09/indicators-of-compromise-associated-with-icedid/
Submission: On August 10 via manual from PH — Scanned from DE
Submission: On August 10 via manual from PH — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
(800) 989-2647
info@fortify24x7.com
* Follow
* Follow
* Follow
* Incident Response
* Services
* AWS Cloud Migration
* Azure Cloud Migration
* Cyber Health Check
* Fortify Helpdesk
* Fortify MDR
* Fortify NMS
* Fortify XDR
* Penetration Testing
* vCISO
* Blog
* About
* Company Info
* Research
* Partners
* Contact Us
* Incident Response
* Services
* AWS Cloud Migration
* Azure Cloud Migration
* Cyber Health Check
* Fortify Helpdesk
* Fortify MDR
* Fortify NMS
* Fortify XDR
* Penetration Testing
* vCISO
* Blog
* About
* Company Info
* Research
* Partners
* Contact Us
Research
INDICATORS OF COMPROMISE ASSOCIATED WITH ICEDID
Fortify Security Team
Sep 28, 2021
FBI reporting has indicated a recent increase in IcedID malware acting as a
“dropper,” infecting victims with additional malware. Examples of ransomware
variants dropped by IcedID include Defray777, GlobeImposter, Cuba, Conti, and
REvil (aka Sodinokibi). First reported in late 2017, IcedID (also known as
BokBot) has been known as a banking trojan that targets victims with a redirect
attack. When a victim uses an infected computer to access an online banking
platform, IcedID redirects victims to a visually identical fake banking website.
The fake website solicits login credentials from the victim and then shows an
error message, leading the victim to believe the website is malfunctioning.
Meanwhile, the actor(s) behind the fake website obtain and use the user’s
credentials to access the victim’s bank account.
Initial IcedID infections often result from emails containing a zipped Microsoft
Excel or Word document with a generic name and possibly a date. The password for
the zipped file is in the content of the email. The Excel or Word document has a
graphic stating it was created in an older version of Excel or Word and requests
the user click “Enable Content” in order to display the document. Cyber actors
also target organizations by embedding malicious “Contact Us” links into emails
through public domains. Cyber actors deliver IcedID using Emotet, Trickbot, and
TA551 (also known as Shathak and GoldCabin). TA551 is an email-based malware
distribution campaign that has exclusively pushed IcedID since mid-July 2020.
Through industry partners and open source information, the tier one C2 domains
are easily identifiable and fall into two to three different categories. While
naming conventions differ by researcher, the first set of tier one C2 domains
stage the initial component of the IcedID malware, which is pulled down to a
victim by the malicious Microsoft Word or Excel attachments. These C2s are
typically valid for approximately 24 hours. The second set of tier one C2
domains stage the GZIP loader that is pulled down to a victim by the initial
IcedID component. These C2s are also valid for approximately 24 hours. The final
set of tier one C2 domains are the core or victim (bot) control C2s. These C2s
change less often and can be valid for two or more weeks.
For the second tier of infrastructure, there are two different components:
inject panel domains and tier 2 servers or proxies. Inject panel domains control
which web injects, or fake websites, the victim will be targeted with. These
domains are likely proxies to higher tiered infrastructure. Tier 2 servers are
proxies between the tier one C2 domains of all types and the backend
infrastructure at higher tiers. As of the date of this FLASH, the use of web
injects by IcedID has significantly dropped, and these domains are less likely
to be seen by victims. Instead, the FBI has identified an increased use of tier
2 servers or proxies to target victims.
Indicators of Compromise
Victims of IcedID may see C2 domains in their network traffic. IcedID C2 domains
change frequently, and are only active for short periods. Network defenders
should visit trusted security vendor websites or blogs for current or breaking
information.
The following are characteristics of an IcedID compromise:
C2 Domains Distributing IcedID Payload on or after August 1, 2021
2kilozhiraffe.club 3aseruty.pw accessfin.top adjacentlim.top alohawestka.top
amenigmals.club aristomosuga.top attemptssok.top attemptssok.topdefaultsbest.top
bookmaker.bid defaultsbest.top dependssok.top derrillo.website describedsit.top
dilinfilino.top dollinopole.uno dredgedlim.top eitherwayinc.buzz emergesit.top
erraizinbig.top eudimalinka.club footballer.bid generatedmas.top gerimoling.club
gigamerolini.top grandopoop.buzz grandopoop.top hamaderoning.club
hanonedika.club hanonedika.top hardwarebest.top humadiscifil.top
indiaalliea.site kawnosilicon.top lusinobig.top magicolipka.top
malinativation.top mammucity.fun nocelmozzvi.top numericmas.top onokdaynekti.top
operatingbest.top oscanonamik.top otherwisesit.top ovninaysozidu.top
owesureoma.top pastwestbi.top pozityv3.pw pricelipfo.top qwasterni.top
qwesilinin.top removingsok.top renewersilti.top requiringsit.top sabodilnk.top
safiliti.top sawerty.site shouldbest.top simplifiedtin.top solgarstat.top
somefildrea.club sometimestin.top spinoschirkovni.buzz thewormyany.top
tinanbig.top tiplifid.top towigetibig.top unodostres.uno valuemas.top
vertigiodust.top vigaurmilonika.top vironmenfin.top viryigamaps.top
wanomansa.top whoreviki.top wiskotoniks.club withoutilin.top wornimyahter.top
wuilburrtennant.site xanderboghart.cyou
Hash Values of IcedID BInaries as of August 1, 2021
02f355e20922fb9f325569f7bb3466587823b799ae4a43bf715ee92864d0bd74
11be3a269a06b23158afb18561fb7c059f3105d1d37ddfec980899e296dc267e
1469b1b33aa7feb7c0cdf521ec0ca75d55f6f9d82d5b4dbcd542b84493b8630f
1f801574e7b629fa7ec1d100c57939e15ea773bd226f20d067fff0958bc90b53
2af6b1f530a7f79fc8c413612cab21c539a9678e899da06a648aff1b7f937d11
2f6392ed7bf24a4618ff1709a6c8ecc9c5b77aee3714a4770bf5c11cb7bbe4ec
3751f2293918f941b2a2b996334c4ea2e1240085603f3a29eed55a7c7063089d
43a6a73b76e865ce40f8d61ffd2e961990122c190d7a76af334ddf1182f78137
4dae02681b1017f1812bcb4d2a76287b1f4f3c1875ffbd17a8fc0a8b63841a00
5b3791467736f1092e34142c22aabc83f681542c414c51115cbab4bcd7c17c31
5d3f0b80abe170490ec273503c2f8f70ce5b927081c20ca8b54bc51ad40c3090
7329123e59fb3115b08ea8c93f1f09aba7bb384102dcfa643c4dec4b34919cac
78d1e981d0bbab1ba77ce030cdf8dda1a73ae1f86dd2e3fff1bf0f9ceb03482e
88ed555efa8022e77f66f753a17d03ce3c043cc84c6382aeaabb4b957a4871f1
a0a2c1bcf4275e486c1c385eda0ecf58718f52061d29bea7192f0a2af3005709
a9fba3719e22b8a1802ac347f126379249b6137e6f0352b8327784262b9eefd3
b382d0e1a2144d519e9dfff537474d314b68872665a3c773a56a14e1b2ea271f
c7664e3275a391d92bb2b98ace52725e7e4007536b6944f59f147f0d31f1b66e
d4804d424161118b1f6d4d1106b6ed8881be23d8078e2d6f9da84dfdc1c34d92
ea0fb0dc663dcb83869c83db63565e8e69a1caac665f789a58b1c98b7ecd64e0
f3e6e34b2d96164ff15a44f84667bebd4cddfffb74ad743eb1165dc1d00ea1ce
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
f80a9594cd2e0296f0dd4394bd42a1aa31f75d8b7d6cae64fd8b9d00ffdd36ba
f8a4cf697ec22aa21167254cf454e0cfadad087b23781b10f5c5ee7c8cd52afa
Recommended Mitigations
* Be wary of thread hijacking, where actors reply to legitimate previous
conversations within a victim’s email in order to send additional phishing
emails within a network from the victim’s account. If receiving a zipped
document from an email previously communicated with, verify the document
originated from the sender via another form of communication.
* Be wary of the “Enable Content” feature in Microsoft attachments. Clicking
this button enables the IcedID payload to download to a victim machine.
* Back-up critical data offline.
* Ensure copies of critical data are in the cloud or on an external hard drive
or storage device.
* Secure your back-ups and ensure data is not accessible for modification or
deletion from the system where the data resides.
* Use two-factor authentication with strong passwords, including for remote
access services.
* Monitor cyber threat reporting regarding the publication of compromised VPN
login credentials and change passwords/settings if applicable.
* Keep computers, devices, and applications patched and up-to-date.
* Install and regularly update anti-virus or anti-malware software on all
hosts.
* Review the following additional resources.
* The joint advisory from Australia, Canada, New Zealand, the United Kingdom,
and the United States on Technical Approaches to Uncovering and Remediating
Malicious Activity provides additional guidance when hunting or
investigating a network and common mistakes to avoid in incident handling.
* The Cybersecurity and Infrastructure Security Agency-Multi-State
Information Sharing & Analysis Center Joint Ransomware Guide covers
additional best practices and ways to prevent, protect, and respond to a
ransomware attack.
* gov is the U.S. Government’s official one-stop location for resources to
tackle ransomware more effectively.
If your organization is impacted by a ransomware incident, the FBI and CISA
recommend the following actions.
* Isolate the infected system. Remove the infected system from all networks,
and disable the computer’s wireless, Bluetooth, and any other potential
networking capabilities. Ensure all shared and networked drives are
disconnected, whether wired or wireless.
* Turn off other computers and devices. Power-off and segregate (i.e., remove
from the network) the infected computer(s). Power-off and segregate any other
computers or devices that share a network with the infected computer(s) that
have not been fully encrypted by ransomware. If possible, collect and secure
all infected and potentially infected computers and devices in a central
location, making sure to clearly label any computers that have been
encrypted. Powering-off and segregating infected computers and computers that
have not been fully encrypted may allow for the recovery of partially
encrypted files by specialists.
* Secure your backups. Ensure that your backup data is offline and secure. If
possible, scan your backup data with an antivirus program to check that it is
free of malware.
← Prev
Next →
RECENT POSTS
MEDUSALOCKER RANSOMWARE TECHNICAL DETAILS
Jul 1, 2022 | Research
Observed as recently as May 2022, MedusaLocker actors predominantly rely on
vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks.
The MedusaLocker actors encrypt the victim’s data and leave a ransom note with
communication instructions in every...
BLACKCAT/ALPHV RANSOMWARE IOCS
Apr 22, 2022 | Research
As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised
at least 60 entities worldwide and is the first ransomware group to do so
successfully using RUST, considered to be a more secure programming language
that offers improved performance and...
CVE-2022-30190 AKA FOLLINA
Jun 13, 2022 | Research
Move over log4j, there is a new 0-day vulnerability being exploited in the wild.
The first sample that exploits the vulnerability appeared on VirusTotal on April
12th, 2022. Successful exploitation allows an attacker to run arbitrary code
with the privileges of the...
RAGNARLOCKER RANSOMWARE IOCS
Apr 22, 2022 | Research
RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash
of the computer’s NETBIOS name. The actors, identifying themselves as
“RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the
ransom and decrypt the data....
IOCS ASSOCIATED WITH RANZY LOCKER RANSOMWARE
The FBI first identified Ranzy Locker ransomware in late 2020 when the variant
began to target victims in the United States. Unknown cyber criminals using
Ranzy Locker ransomware had compromised more than 30 US businesses as of July
2021. The victims include the...
CONTI RANSOMWARE
While Conti is considered a ransomware-as-a-service (RaaS) model ransomware
variant, there is variation in its structure that differentiates it from a
typical affiliate model. It is likely that Conti developers pay the deployer's
of the ransomware a wage rather than a...
BLACKMATTER RANSOMWARE
This advisory provides information on cyber actor tactics, techniques, and
procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a
sandbox environment as well from trusted third-party reporting. Using embedded,
previously compromised...
« Older Entries
2067 Apa Road
Point Roberts, WA 98281
Sales: (800) 989 – 2647
Incidents: (833) 200 – 0777
sales@fortify24x7.com
support@fortify24x7.com
incident@fortify24x7.com
Fortify
5
Fortify XDR
5
Fortify MDR
5
Fortify Helpdesk
5
Fortify NMS
our Services
5
Project Management
5
Managed Storage Services
5
Managed Server Services
5
Red Team
5
Infrastructure Security
5
Networking
5
Software Development
5
Disaster Recovery
5
Managed IT
useful links
5
Terms of Use
5
Privacy Policy
5
Contact Us
5
Fortify Incident Response
5
Partner Program
© 2021. Fortify24x7. All Rights Reserved.
* 0Share on Facebook
* 1Share on Twitter
* 0Share on Reddit
* 1Share on LinkedIn
* 0Share on Email