Hackers Took Just 29-Days From IcedID Infection to Dagon Locker Ransomware
Hackers Took Real 29-Days From IcedID Infection to Dagon Locker Ransomware
In a complicated cyberattack that unfolded over 29 days, cybersecurity analysts own meticulously traced the steps of threat actors from the preliminary an infection with IcedID malware to the eventual deployment of Dagon Locker ransomware.
The detailed legend of this cyber intrusion gives a chilling instance of how rapidly and stealthily cybercriminals can compromise an organization’s community and goal critical trouble.
The Preliminary Breach: IcedID Phishing Campaign
The attack began with a phishing campaign that cleverly distributed IcedID, a notorious banking trojan, by emails containing malicious links. Victims who clicked on these links had been directed to a false web wretchedness designed to imitate an Azure accumulate portal, where they had been precipitated to accumulate a JavaScript file that initiated the malware an infection.
As soon as the IcedID malware was set apart in, it wasted no time establishing persistence and a express and control (C2) connection.
Internal 30 hours, the malware downloaded and accomplished a Cobalt Strike beacon, a tool attackers recurrently employ to withhold a foothold within the community and facilitate lateral circulation.
The attackers demonstrated their prowess by leveraging a chain of tools, along with a custom PowerShell script is named AWScollector, to conduct discovery operations, transfer laterally, and exfiltrate files.
To boot they musty Group Coverage to distribute Cobalt Strike beacons to particular privileged user groups, further entrenching themselves for the length of the community.
The Deployment of Dagon Locker Ransomware
On the twenty ninth day, the attackers ready for his or her final act by staging the Dagon Locker ransomware file on a website controller.
The usage of their custom AWScollector script, they deployed the ransomware by SMB to a long way-off hosts, disabling companies and products and deleting shadow copies to prevent files restoration.
The ransomware crippled your entire community and demanded fee to release the encrypted files.
This incident serves as a stark reminder of the sophistication and persistence of standard cyber threats.
The attackers’ employ of many tools, along with Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind, underscores the need for mighty cybersecurity measures and trusty vigilance.
The usage of AnyDesk, a reputable a long way-off desktop application, for lateral circulation and creating unique user accounts with administrative privileges highlights the attackers’ ability to mix in with usual community exercise and evade detection.
The thorough timeline of the attack, from the preliminary phishing e-mail to the deployment of ransomware, demonstrates the attackers’ methodical methodology.
Per the difrreport study, it also emphasizes the significance of early detection and response. The Time to Ransomware (TTR) of 29 days indicates that organizations would possibly per chance well own a window of opportunity to detect and mitigate such threats earlier than they escalate to burly-blown ransomware deployment.
Lessons Realized and Ideas
Cybersecurity consultants recommend that organizations:
- Say workers to acknowledge and sage phishing attempts.
- Implement multi-element authentication to diminish the impact of credential theft.
- Protect all methods patched and up-to-date to prevent exploitation of known vulnerabilities.
- Spend endpoint detection and response (EDR) alternatives to identify and answer to malicious actions.
- Continually aid up files and verify backups are saved securely and inaccessible from the community.
The mosey from IcedID an infection to Dagon Locker ransomware deployment is a cautionary legend for organizations worldwide.
As cybercriminals proceed to refine their tactics and tools, the need for complete cybersecurity methods has by no means been better.
Organizations can better put together to defend in opposition to and answer to the evolving threat landscape by working out the methods musty in such assaults.
Indicators of Compromise
Atomic
IcedID
143.110.245[.]38:443
159.89.124[.]188:443
188.114.97[.]7:443
151.236.9[.]176:443
159.223.95[.]82:443
194.58.68[.]187:443
87.251.67[.]168:443
151.236.9[.]166:443
rpgmagglader[.]com
ultrascihictur[.]com
oopscokir[.]com
restohalto[.]site
ewacootili[.]com
magiraptoy[.]com
fraktomaam[.]com
patricammote[.]com
moashraya[.]comCobalt Strike
23.159.160[.]88
45.15.161[.]97
51.89.133[.]3
winupdate.us[.]to
Computed
Document_Scan_468.js 0d8a41ec847391807acbd55cbd69338b 5066e67f22bc342971b8958113696e6c838f6c58 f6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4 license.dat bff696bb76ea1db900c694a9b57a954b ca10c09416a16416e510406a323bb97b0b0703ef 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953 Riadnc1.dll a144aa7a0b98de3974c547e3a09f4fb2 34c9702c66faadb4ce90980315b666be8ce35a13 9da84133ed36960523e3c332189eca71ca42d847e2e79b78d182da8da4546830 magni.w 7e9ef45d19332c22f1f3a316035dcb1b 4e0222fd381d878650c9ebeb1bcbbfdfc34cabc5 839cf7905dc3337bebe7f8ba127961e6cd40c52ec3a1e09084c9c1ccd202418e magni.w.bat b3495023a3a664850e1e5e174c4b1b08 38cd9f715584463b4fdecfbac421d24077e90243 65edf9bc2c15ef125ff58ac597125b040c487640860d84eea93b9ef6b5bb8ca6 update.dll 628685be0f42072d2b5150d4809e63fc 437fe3b6fdc837b9ee47d74eb1956def2350ed7e a0191a300263167506b9b5d99575c4049a778d1a8ded71dcb8072e87f5f0bbcf
Source credit : cybersecuritynews.com