Full Report
Key Takeaways In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was … Read More
Analysis Summary
# Incident Report: IcedID to Dagon Locker Ransomware in 29 Days
## Executive Summary
An intrusion detected in August 2023 began with a sophisticated phishing campaign distributing the IcedID malware. The threat actor leveraged IcedID to deploy Cobalt Strike and subsequently utilized a bespoke PowerShell tool, AWScollector, for extensive reconnaissance, lateral movement, and data exfiltration over 29 days before deploying Dagon Locker ransomware. The incident highlights a long dwell time enabling significant adversary action before final impact.
## Incident Details
- **Discovery Date:** August 2023 (Date of detection is implied by the start of the intrusion described)
- **Incident Date:** August 2023 (Start of intrusion)
- **Affected Organization:** Undisclosed (Internal Case # TB23869 PR28513 for reference)
- **Sector:** Undisclosed
- **Geography:** Undisclosed
## Timeline of Events
### Initial Access
- **Date/Time:** August 2023
- **Vector:** Phishing campaign using PrometheusTDS to distribute IcedID.
- **Details:** Initial compromise achieved via a phishing campaign delivering the IcedID initial access malware.
### Execution & C2 Establishment
- **Date/Time:** Post-Initial Access
- **Vector:** IcedID malware execution.
- **Details:** IcedID dropped and executed a Cobalt Strike beacon, which served as the persistent command and control (C2) framework for the remainder of the intrusion.
### Lateral Movement & Escalation
- **Date/Time:** Over the 29-day dwell time.
- **Vector:** Bespoke PowerShell tool (AWScollector) and native Windows tools.
- **Details:** Threat actors used the AWScollector tool for discovery and lateral movement. Cobalt Strike beacons were distributed via Group Policy login scripts targeting a specific privileged user group. Additional tools like AnyDesk, Netscan, Nbtscan, Seatbelt, Sharefinder, and AdFind were deployed.
### Data Exfiltration/Impact
- **Date/Time:** Leading up to Day 29.
- **Vector:** Use of Rclone and other enumeration tools.
- **Details:** The ultimate impact was the deployment of Dagon Locker ransomware. Data exfiltration was facilitated, likely leveraging Rclone for cloud storage integration (Exfiltration to Cloud Storage T1567.002).
### Detection & Response
- **Date/Time:** Day 29 post-intrusion (Time to Ransomware - TTR).
- **Vector:** Details of specific detection mechanism not fully provided, but the analysis was performed post-incident.
- **Response Actions:** Not explicitly detailed, but the response involved analysis leading to this report, covering containment and eradication steps for IcedID/Cobalt Strike artifacts and Dagon Locker deployment.
## Attack Methodology
- **Initial Access:** Phishing (PrometheusTDS distributing IcedID) (T1204.002)
- **Persistence:** Establishment of Cobalt Strike beacon; potential use of Scheduled Tasks (T1053.005), Group Policy distribution (implied).
- **Privilege Escalation:** Use of **Seatbelt** (likely credential access/dumping assistance) (T1003.001 LSASS Memory).
- **Defense Evasion:** Use of native tools (Living off the Land), Command Obfuscation (T1027.010), TLS/Encrypted Channels (T1573).
- **Credential Access:** Likely leveraged LSASS memory access (T1003.001).
- **Discovery:** Systeminfo (T1082), System Owner/User Discovery (T1033), Domain Account/Group Discovery (T1087.002, T1069.002), Domain Trust Discovery (T1482), utilizing **AdFind** and **Systeminfo**.
- **Lateral Movement:** Group Policy distribution of Cobalt Strike, native tools, SMB/Windows Admin Shares exploitation (T1021.002).
- **Collection:** Gathering data from Network Shared Drives (T1039), File and Directory Discovery (T1083), utilizing **Sharefinder** and **AdFind**.
- **Exfiltration:** Exfiltration to Cloud Storage (T1567.002) using **Rclone**.
- **Impact:** Data Encrypted for Impact (T1486) via **Dagon Locker Ransomware**; Inhibit System Recovery (T1490); Service Stop (T1489).
## Impact Assessment
- **Financial:** Not detailed, but presumed significant due to ransomware deployment.
- **Data Breach:** Data was collected and exfiltrated to cloud storage prior to encryption. Specific volume unknown.
- **Operational:** Full operational disruption anticipated due to Dagon Locker ransomware deployment on Day 29.
- **Reputational:** Likely significant due to ransomware-related outage.
## Indicators of Compromise
*Note: IPs and URLs are excluded as none were explicitly provided in defanged or actionable format in the summary text.*
- **Network indicators:** Cobalt Strike C2 traffic (implied).
- **File indicators:** IcedID, Cobalt Strike beacons, AWScollector (PowerShell tool), Rclone, AnyDesk, Seatbelt, AdFind.
- **Behavioral indicators:** Suspicious execution of AdFind and `Systeminfo`, Group Policy modification for payload distribution, creation of remote access software (AnyDesk), use of network scanning tools (Netscan, Nbtscan).
## Response Actions
- **Containment:** (Implied necessary action to halt Dagon Locker encryption/spread, likely network isolation and disabling C2 communication.)
- **Eradication:** (Implied removal of IcedID, Cobalt Strike implants, persistence mechanisms, and AWScollector.)
- **Recovery:** (Implied, focused on restoring systems from backups following ransomware decryption or rebuild.)
## Lessons Learned
- The Time to Ransomware (TTR) was excessively long at 29 days, indicating significant gaps in detection capabilities allowing deep penetration and reconnaissance.
- The reliance on customized PowerShell tools (AWScollector) and standard tooling to facilitate complex internal operations (discovery, lateral movement).
- Successful use of native OS features (Group Policy) for widespread malware distribution significantly amplified the threat's reach within the environment.
## Recommendations
- Enhance email gateway defenses to prevent initial delivery of loaders like IcedID, potentially leveraging PrometheusTDS intelligence.
- Implement robust monitoring for Command and Control frameworks, specifically focusing on Cobalt Strike beaconing patterns.
- Review and restrict the use of Group Policy for the deployment of non-standard binaries to user login contexts, especially for privileged groups.
- Improve endpoint detection to flag the usage of specialized attacker tools like AdFind, Seatbelt, and Rclone executing on endpoints.