Technology NewsActive Directory Domain Compromised in Under 24 Hours

Active Directory Domain Compromised in Under 24 Hours

-


Jan 12, 2023Ravie LakshmananActive Directory / Malware

Active Directory Domain Compromised in Under 24 Hours

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.

“Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,” Cybereason researchers said in a report published this week.

IcedID, also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin.

Attacks involving the delivery of IcedID have leveraged a variety of methods, especially in the wake of Microsoft’s decision to block macros from Office files downloaded from the web.

The intrusion detailed by Cybereason is no different in that the infection chain begins with an ISO image file contained within a ZIP archive that culminates in the execution of the IcedID payload.

The malware then establishes persistence on the host via a scheduled task and communicates with a remote server to download additional payloads, including Cobalt Strike Beacon for follow-on reconnaissance activity.

It also carries out lateral movement across the network and executes the same Cobalt Strike Beacon in all those workstations, and then proceeds to install Atera agent, a legitimate remote administration tool, as a redundant remote access mechanism.

“Utilizing IT tools like this allows attackers to create an additional ‘backdoor’ for themselves in the event their initial persistence mechanisms are discovered and remediated,” the researchers said. “These tools are less likely to be detected by antivirus or EDR and are also more likely to be written off as false positives.”

MALWARE ATTACK

The Cobalt Strike Beacon is further used as a conduit to download a C# tool dubbed Rubeus for credential theft, ultimately permitting the threat actor to move laterally to a Windows Server with domain admin privileges.

The elevated permissions are then weaponized to stage a DCSync attack, allowing the adversary to simulate the behavior of a domain controller (DC) and retrieve credentials from other domain controllers.

Other tools used as part of the attack include a legitimate utility named netscan.exe to scan the network for lateral movement as well as the rclone file syncing software to exfiltrate directories of interest to the MEGA cloud storage service.

The findings come as researchers from Team Cymru shed more light on the BackConnect (BC) protocol used by IcedID to deliver additional functionality post compromise, including a VNC module that provides a remote-access channel.

“In the case of BC, there appears to be two operators managing the overall process within distinct roles,” the researchers noted last month, adding “much of the activity […] occurs during the typical working week.”

The development also follows a report from Proofpoint in November 2022 that a resurgence in Emotet activity has been linked to the distribution of a new version of IcedID.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

New OPPO Reno8 T and Reno8 T 5G, 100 megapixel camera and 120 Hz screen

OPPO has launched a new series within its Reno line: this is the Reno8 T and Reno8 T...

ஒரு செயற்கை இரசாயன கடிகாரம் சர்க்காடியன் தாளங்களின் மர்மமான சொத்தை எவ்வாறு பின்பற்றுகிறது

சர்க்காடியன் தாளங்கள் ஒரு தனித்துவமான பண்புகளைக் கொண்டுள்ளன, இதில் வெப்பநிலை ஏற்ற இறக்கங்கள் இருந்தபோதிலும் சுழற்சி காலம் மாறாமல் இருக்கும், பல உயிர்வேதியியல் எதிர்வினைகளின்...

ChatGPT – OpenAI plans to introduce an optional subscription for users of its tool

ChatGPT is one of the most interesting technological curiosities of recent months. Much has already been written...

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

Feb 02, 2023Ravie LakshmananCyber Risk / Threat Detection The State Cyber Protection Centre (SCPC) of Ukraine has called out...

ChatGPT – OpenAI plans to introduce an optional subscription for users of its tool

ChatGPT is one of the most interesting technological curiosities of recent months. Much has already been written...

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

Feb 02, 2023Ravie LakshmananCyber Risk / Threat Detection The State Cyber Protection Centre (SCPC) of Ukraine has called out...

Must read

Where To Watch The Boondocks

The Boondocks is an adult animated sitcom created...

Cybercriminals are targeting a software vulnerability used by many companies

Since VMware's solution is widespread, unpatched security holes...