Full Report
Key Takeaways We provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, … Read More
Analysis Summary
# Incident Report: OneNote Phishing Leading to IcedID, Cobalt Strike, and Nokoyawa Ransomware
## Executive Summary
In late February 2023, threat actors successfully breached an organization via a malicious Microsoft OneNote file delivered through phishing. The initial access led to the deployment of IcedID, which maintained a low-profile presence for over 30 days before the actors escalated to using Cobalt Strike and AnyDesk for remote access. The intrusion culminated in the exfiltration of data via FileZilla and the deployment of Nokoyawa ransomware targeting file and backup servers.
## Incident Details
- Discovery Date: Late March 2023 (Implied based on intrusion duration)
- Incident Date: Late February 2023 (Initial Access)
- Affected Organization: Not disclosed
- Sector: Not disclosed
- Geography: Not disclosed
## Timeline of Events
### Initial Access
- **Date/Time:** Late February 2023
- **Vector:** Phishing campaign distributing emails with malicious OneNote attachments.
- **Details:** OneNote files executed a `cmd` file, which then used PowerShell to download an IcedID DLL, disguised with image file extensions, from a remote server.
### Initial Execution & Persistence
- **Date/Time:** Shortly after Initial Access
- **Details:** After IcedID execution, a scheduled task was created for persistence. For the next 21 days, activity was limited strictly to IcedID command and control (C2) beaconing.
### Discovery & Escalation
- **Day 22 (Approx. Mid-March 2023):** IcedID began standard discovery activities using native Microsoft tools (`net`, `nltest`, `chcp`, `systeminfo`).
- **Day 33 (Approx. Late March 2023):** IcedID launched Cobalt Strike beacons. These beacons injected into processes and began Active Directory discovery using `AdFind` commands executed via a batch script.
### Lateral Movement & Impact
- **Vector:** Exploitation of a Domain Administrator account.
- **Details:** A PowerShell script deployed AnyDesk, and the ID was relayed to the actor. The threat actor connected via AnyDesk, operating under the elevated privileges of the original user (a Domain Administrator). They browsed files, accessed LSASS memory, and performed significant reconnaissance using command-line tools and GUI tools like Task Manager. The actor targeted a file server and backup server. Prior to final impact, data was exfiltrated using FileZilla, followed by the deployment of Nokoyawa ransomware.
### Detection & Response
- **Detection:** The report notes that the Cobalt Strike server was detected weeks *before* the intrusion started (likely by the reporting entity's threat intelligence services), but specific internal detection details for this case are not detailed, beyond the observed use of native discovery tools.
- **Response Actions:** Not explicitly documented in detail, but the final actions included ransomware deployment and data exfiltration.
## Attack Methodology
- **Initial Access:** Phishing (T1566) via Malicious OneNote attachment (T1204.002).
- **Persistence:** Scheduled Task (T1053.005).
- **Privilege Escalation:** Leveraged victim account with pre-existing Domain Administrator privileges.
- **Defense Evasion:** Masquerading file type (T1036.008) for the downloaded DLL; using legitimate system utilities (Living off the Land Binaries/Scripts - LOLBAS) for discovery.
- **Credential Access:** Accessing LSASS memory (T1003.001).
- **Discovery:** Executing reconnaissance commands (`net`, `nltest`, `AdFind`, `systeminfo`) post-IcedID (T1082, T1046, T1069.002).
- **Lateral Movement:** Use of Remote Access Software (AnyDesk - T1219) after gaining access via Cobalt Strike.
- **Collection:** File and Directory Discovery (T1083), Data from Network Shared Drive (T1039).
- **Exfiltration:** Using FileZilla (Exfiltration Over Alternative Protocol - T1048).
- **Impact:** Data Encrypted for Impact (T1486) via Nokoyawa ransomware.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Exfiltration of data occurred prior to encryption. Specific type/volume not disclosed.
- **Operational:** Severe disruption expected due to the deployment of Nokoyawa ransomware targeting file and backup servers.
- **Reputational:** Not disclosed.
## Indicators of Compromise
*(Note: Indicators provided are raw and not defanged as per the instruction, but are listed here for reference before defanging)*
- **Network Indicators:** Cobalt Strike C2 infrastructure (detected by reporting service prior to attack).
- **File Indicators:** Malicious OneNote files, IcedID DLL with spoofed extension, FileZilla usage.
- **Behavioral Indicators:** Suspicious execution of AdFind, Nltest.EXE, Systeminfo; process injection by Cobalt Strike; creation of scheduled tasks; PUA execution (Process Hacker noted in detections).
## Response Actions
*(Specific actions taken by the victim are not detailed, but standard actions would include:)*
- **Containment:** Isolating affected hosts (file server, backup server, initial beachhead host), disabling compromised user accounts (Domain Admin).
- **Eradication:** Removing IcedID components, Cobalt Strike artifacts, AnyDesk installation, and the scheduled task. Wiping and rebuilding affected servers.
- **Recovery:** Restoring systems and data from clean backups, following ransomware deployment.
## Lessons Learned
- Malicious OneNote files remain an effective mechanism to bypass legacy email controls.
- The threat actor maintained a long dwell time (33+ days) after initial compromise, patiently waiting after the brief IcedID activity phase.
- A Domain Administrator account being used by a standard end-user greatly amplified the impact and allowed for rapid privilege escalation and deployment of post-exploitation tools (Cobalt Strike, AnyDesk).
## Recommendations
- Implement robust email gateway filtering to specifically inspect archives and embedded executable content often hidden within seemingly benign files like OneNote/Office documents.
- Strictly enforce Principle of Least Privilege (PoLP); audit and restrict users having Domain Administrator rights for daily operations, especially for accounts opening untrusted email attachments.
- Enhance endpoint detection capabilities to monitor for unusual beaconing patterns (e.g., IcedID C2) and the execution of legitimate tools for malicious reconnaissance (LOLBAS).
- Immediately review and secure backup infrastructure, ensuring backups are immutable or logically separated to prevent destruction following successful compromise.