IcedID Macro Ends in Nokoyawa Ransomware

MITRE Techniques

• [T1105] Ingress Tool Transfer – The Excel macro downloaded and wrote the first stage IcedID payload to disk from a hard-coded domain. “The macro code was responsible for downloading and writing an IcedID DLL payload to disk.”
• [T1059.001] PowerShell – The first beacon was executed via PowerShell, which in turn was executed initially by a command shell…
• [T1059.003] Windows Command Shell – The PowerShell beacon was initiated via a command shell started by IcedID at the same time a DLL beacon was also executed.
• [T1218.011] Rundll32 – Post-execution, rundll32.exe (renamed) was used to invoke the IcedID payload. “The macro then used a renamed rundll32 binary to execute the malicious DLL.”
• [T1053.005] Scheduled Task – IcedID established persistence via a scheduled task: “A scheduled task was created that contained instructions on executing the IcedID DLL…”
• [T1047] WMI – WMI was used to execute remote DLL beacons and later remote commands: “WMI was also used when executing remote DLL beacons”
• [T1021.001] Remote Services: RDP – Lateral movement via RDP: “The threat actors connected to a compromised server via RDP.”
• [T1021.006] Remote Services: WinRM – Lateral movement using WinRM: “Some of the threat actors’ lateral activity was executed using WinRM…”
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement across the network using SMB: “The threat actors relied on SMB to move their tools throughout the network…”
• [T1055] Process Injection – Code injected into legitimate processes via CreateRemoteThread: “The adversary was seen injecting code into legitimate processes via CreateRemoteThread.”
• [T1036.003] Masquerading: Rename System Utilities – Renaming system utilities (e.g., calc.exe) to evade detection: “Renamed Windows Utility” and “calc.exe (renamed rundll32.exe)…”
• [T1003.001] OS Credential Dumping: LSASS Memory – Dumping LSASS memory during traversal: “LSASS memory dump using the beacons.”
• [T1071.001] Web Protocols – C2 over HTTP(S): “The beacons talk over HTTP” and related web traffic patterns.
• [T1560.001] Archive Collected Data – Archiving using 7-Zip during discovery/exfiltration: “7-Zip to archive data collected from Active Directory using AdFind.”
• [T1041] Exfiltration Over C2 Channel – No overt exfiltration observed; data exfiltration observed over existing C2 channels: “No overt exfiltration was observed so we assess that this occurred over existing command and control channels.”