#HappyMonday everyone! The DFIR Report released another amazing report, this time they provide details of an incident that started with #IcedID and ended with #Nokoyawa #ransomware. Interesting enough, it was a malicious EXCEL doc this time that used utilized a VBA macro to download the payload. Enjoy and Happy Hunting!

IcedID Macro Ends in Nokoyawa Ransomware
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

Notable MITRE ATT&CK TTPs:
The DFIR team did all the hard work on this one!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

#IcedID: Exploring Four Recent #Malware Infection Techniques #cybersecuruity https://www.infosecurity-magazine.com/blogs/icedid-malware-infection-techniques/

Good morning and Happy Monday! We are going to kick this week off with my #readoftheday from The DFIR Report! They report on an incident that involved #IcedID delivering a malicious email that contained an ISO image which ultimately led to domain wide ransomware. As usual this report is full of technical details and helpful information to fuel your hunting! Have a wonderful day and Happy Hunting!

Malicious ISO File Leads to Domain Wide Ransomware
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Three Variants of #IcedID #Malware Discovered #cybersecurity https://www.infosecurity-magazine.com/news/variants-icedid-malware-discovered/

Originally posted at: https://twitter.com/malware_traffic/status/1634042775850082304

2023-03-08 (Wednesday): #IcedID (#Bobkot) infection with #BackConnect and #VNC traffic. Email --> PDF with link --> downloaded zip --> extracted .msi --> IcedID infection. 1 malspam example, #pcap from an infection, associated malware & IOCs available at https://www.malware-traffic-analysis.net/2023/03/08/index.html

Last week's reporting gave a great insight into the level of innovation going on in the cyber crime ecosystem - C2 over MQTT, cryters delivering payloads over SQL connections, and UEFI bootkits that bypass Window's Secure Boot! We've pulled it all together, just for you:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-3fd

The BlackLotus #Bootkit has been upgraded to exploit a vulnerability in Microsoft's Secure Boot Mechanism, allowing it to persist on fully patched Windows 11 systems. This is enabled in no small part by the failure to update the UEFI revocation list, which allowed the bootkit author to simply load and exploit the vulnerable UEFI components on target systems.

Australia's cyber security laws were "bloody useless" in helping mitigate the Optus and Medibank breaches of 2022, according to the government's Home Affairs Minister. A new "national cyber office", reforms to Critical Infrastructure security laws, and a new Cyber Security Act are all on the table for discussion.

zScaler analysts have picked up on the Snip3 crypter, a Crypter-as-a-Sevice offering which uses multiple obfuscated stages; an AMSI Bypass, and SQL queries to circumvent security controls.

Sysdig share insights from a sophisticated #AWS-centric campaign; ESET have uncovered a new backdoor used by China's Mustang Panda (#APT27) which implements C2 over MQTT, and Team Cymru have again picked apart #IcedID's infrastructure to identify key TTPs.

Some interesting supply chain vulnerabilities this week, with bugs found in the ZK web app framework and Trusted Platform Module (TPM) having the potential to affect an untold number of applications and devices.

#Redteam members will get a kick out of DroppedConnection - a PoC that mimics Cisco AnyConnect VPN to siphon credentials and serve up malware to unwitting victims.

The #blueteam can look forward to some tips for GCP DFIR, bypassing malware geo-fencing, and tracking cyber criminal infrastructure.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-3fd

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #criticalinfrastructure #breach #privacy #Australia #crypter

Day 3️⃣ 1️⃣ of #100DaysofYara: PDF Downloaders used by IcedID
🔗​https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/031/031.md

#IcedID campaigns have previously leveraged PDFs files that download an archive from firebase:
📖​: https://github.com/pr0xylife/IcedID/blob/main/icedID_02.03.2023.txt

Todays yara rule detects these .pdf files!

ISC diary: @malware_traffic reviews .url files and #WebDAV used for #IcedID (#Bokbot) infection https://i5c.us/d29578

Our monthly Intelligence Insight for February is out!

Last month we saw a pretty notable increase in #SocGholish activity, #IcedID hit the top 10 for the first time in awhile, and of course all the OneNote shenanigans started in January too.

https://redcanary.com/blog/intelligence-insights-february-2023/

#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?

Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2

Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars

Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout

Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors

#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam

This video shows how you can identify #IcedID network traffic. Big thanks to @malware_traffic for publishing the #PCAP file!
https://netresec.com/?b=23242ad

Originally posted at: https://twitter.com/Unit42_Intel/status/1625218084288987136

2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using Google Ads. IoCs available at https://github.com/pan-unit42/tweets/blob/master/2023-02-13-IOCs-for-IcedID-infection-from-fake-Microsoft-Teams-page.txt

Sanitized/carved #pcap of the infection traffic, along with the associated malware/artifacts are now available at https://malware-traffic-analysis.net/2023/02/13/index.html

Day 2️⃣​6️⃣​ of #100DaysOfYara: Using the VirusTotal module to detect file behavior - CobaltStrike DLLs
🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/026/026.md

Recently @malware_traffic reported that a #IcedID OneNote file lead to execution of CobaltStrike DLL:
📖​ https://infosec.exchange/@malware_traffic/109835861869252291

Todays rule detects similar DLL files that make request to a #CobaltStrike jquery themed malleable C2 profile

Originally posted at: https://twitter.com/Unit42_Intel/status/1623707361184477185

2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, I saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using thefirstupd[.]com as its domain.

IoCs available at https://github.com/pan-unit42/tweets/blob/master/2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt

HTML Smuggling: The Hidden Threat in Your Inbox | Trustwave

#HTML #IOC #Qakbot #IcedID #CobaltStrike #Xworm #RAT #security

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-smuggling-the-hidden-threat-in-your-inbox/

Picking back up #100DaysOfYara with Day 2️⃣​2️⃣​ - Hunting for OneNote Abuse | matching on wide strings
🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/022/022.md

For todays rule I wanted to learn more about what `wide` does in yara (as oppose to just sprinkling it everywhere like seasoning on a meal 😅​)

`wide` matches on UTF-16 strings instead of the default of UTF-8 . We can use this to detect #OneNote malware that uses the lure text:
> double click "open"

This has been observed with multiple threat families:
#Qakbot: https://infosec.exchange/@threatresearch/109819793524213901
#IcedID: https://infosec.exchange/@rmceoin/109819301053823137

@rmceoin Thanks for sharing your findings! It's much appreciated 😄​

That C2 server is attributed to #IcedID!

#OneNote has become a fixture in recent malware delivery campaigns, with Initial Access Broker kingpins such as #Qakbot, #IcedID, and more getting in on the action.

I've distilled all the publicly available information I could find on the topic into this post. Who's abusing it and how to mitigate them - it's all here:

https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs?sd=pf

#infosec #cyber #informationsecurity #cybersecurity #security #technology #malware #ransomware #dfir #soc #threatintel #threatintelligence

Wave of .one files dropping #icedid:

https://app.any.run/tasks/434266a4-2ecc-499e-955a-76b39d6847fc

dll hash:
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

a c2:
https://renomesolar[.]com/users/3954321778/4200660454

Day 2️⃣​0️⃣​- More OneNote Malware Archives!
🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/020/020.md

A few days ago I wrote a yara rule to detect #qakbot zip archives that contain a OneNote file. Earlier today researchers from Proofpoint shared that #IcedID is now leveraging #OneNote malware archives!
📖​ https://twitter.com/ffforward/status/1621195397250289664

Today I've updated my rule from day 18 to also detect on IcedID archives such as `SCAN_02_02_#5.zip` and `Inv_02_02_#6.zip`!

Retrohunting with this rule found 500+ recent malware samples! Those #IOCs can be found here:
https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/020/data.csv
:blobcatcamera:​