IcedID Infection to Dagon Locker Ransomware

In a complicated cyberattack that unfolded over 29 days, cybersecurity analysts own meticulously traced the steps of threat actors from the preliminary an infection with IcedID malware to the eventual deployment of Dagon Locker ransomware.

The detailed legend of this cyber intrusion gives a chilling instance of how rapidly and stealthily cybercriminals can compromise an organization’s community and goal critical trouble.

The Preliminary Breach: IcedID Phishing Campaign

The attack began with a phishing campaign that cleverly distributed IcedID, a notorious banking trojan, by emails containing malicious links. Victims who clicked on these links had been directed to a false web wretchedness designed to imitate an Azure accumulate portal, where they had been precipitated to accumulate a JavaScript file that initiated the malware an infection.

23869 002
IcedID Infection Job

As soon as the IcedID malware was set apart in, it wasted no time establishing persistence and a express and control (C2) connection.

Internal 30 hours, the malware downloaded and accomplished a Cobalt Strike beacon, a tool attackers recurrently employ to withhold a foothold within the community and facilitate lateral circulation.

The attackers demonstrated their prowess by leveraging a chain of tools, along with a custom PowerShell script is named AWScollector, to conduct discovery operations, transfer laterally, and exfiltrate files.

To boot they musty Group Coverage to distribute Cobalt Strike beacons to particular privileged user groups, further entrenching themselves for the length of the community.

The Deployment of Dagon Locker Ransomware

On the twenty ninth day, the attackers ready for his or her final act by staging the Dagon Locker ransomware file on a website controller.

23869 117 1
Credit: difrreport

The usage of their custom AWScollector script, they deployed the ransomware by SMB to a long way-off hosts, disabling companies and products and deleting shadow copies to prevent files restoration.

The ransomware crippled your entire community and demanded fee to release the encrypted files.

This incident serves as a stark reminder of the sophistication and persistence of standard cyber threats.

The attackers’ employ of many tools, along with Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind, underscores the need for mighty cybersecurity measures and trusty vigilance.

The usage of AnyDesk, a reputable a long way-off desktop application, for lateral circulation and creating unique user accounts with administrative privileges highlights the attackers’ ability to mix in with usual community exercise and evade detection.

The thorough timeline of the attack, from the preliminary phishing e-mail to the deployment of ransomware, demonstrates the attackers’ methodical methodology.

Per the difrreport study, it also emphasizes the significance of early detection and response. The Time to Ransomware (TTR) of 29 days indicates that organizations would possibly per chance well own a window of opportunity to detect and mitigate such threats earlier than they escalate to burly-blown ransomware deployment.

Lessons Realized and Ideas

Cybersecurity consultants recommend that organizations:

  • Say workers to acknowledge and sage phishing attempts.
  • Implement multi-element authentication to diminish the impact of credential theft.
  • Protect all methods patched and up-to-date to prevent exploitation of known vulnerabilities.
  • Spend endpoint detection and response (EDR) alternatives to identify and answer to malicious actions.
  • Continually aid up files and verify backups are saved securely and inaccessible from the community.

The mosey from IcedID an infection to Dagon Locker ransomware deployment is a cautionary legend for organizations worldwide.

As cybercriminals proceed to refine their tactics and tools, the need for complete cybersecurity methods has by no means been better.

Organizations can better put together to defend in opposition to and answer to the evolving threat landscape by working out the methods musty in such assaults.

Indicators of Compromise

Atomic

IcedID

143.110.245[.]38:443
159.89.124[.]188:443
188.114.97[.]7:443
151.236.9[.]176:443
159.223.95[.]82:443
194.58.68[.]187:443
87.251.67[.]168:443
151.236.9[.]166:443
rpgmagglader[.]com
ultrascihictur[.]com
oopscokir[.]com
restohalto[.]site
ewacootili[.]com
magiraptoy[.]com
fraktomaam[.]com
patricammote[.]com
moashraya[.]com

Cobalt Strike

23.159.160[.]88
45.15.161[.]97
51.89.133[.]3
winupdate.us[.]to

Computed

Document_Scan_468.js 0d8a41ec847391807acbd55cbd69338b 5066e67f22bc342971b8958113696e6c838f6c58 f6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4  license.dat bff696bb76ea1db900c694a9b57a954b ca10c09416a16416e510406a323bb97b0b0703ef 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953  Riadnc1.dll a144aa7a0b98de3974c547e3a09f4fb2 34c9702c66faadb4ce90980315b666be8ce35a13 9da84133ed36960523e3c332189eca71ca42d847e2e79b78d182da8da4546830  magni.w 7e9ef45d19332c22f1f3a316035dcb1b 4e0222fd381d878650c9ebeb1bcbbfdfc34cabc5 839cf7905dc3337bebe7f8ba127961e6cd40c52ec3a1e09084c9c1ccd202418e  magni.w.bat b3495023a3a664850e1e5e174c4b1b08 38cd9f715584463b4fdecfbac421d24077e90243 65edf9bc2c15ef125ff58ac597125b040c487640860d84eea93b9ef6b5bb8ca6  update.dll 628685be0f42072d2b5150d4809e63fc 437fe3b6fdc837b9ee47d74eb1956def2350ed7e a0191a300263167506b9b5d99575c4049a778d1a8ded71dcb8072e87f5f0bbcf