Threat Research

Malicious ISO File Leads to Domain Wide Ransomware

TheDFIR

IcedID was delivered via malspam as an ISO image, which after mounting loaded a hidden LNK that ultimately dropped IcedID and a batch to disk, enabling domain-wide ransomware. The attackers used IcedID as a loader for Cobalt Strike, conducted extensive discovery and credential theft, moved laterally with remote tools, and deployed Quantum ransomware across domain-joined systems within roughly 78 hours.

Keypoints

  • IcedID delivered through malspam using an ISO image that masquerades as a folder.
  • An LNK file in the mounted ISO triggers eyewear.bat, which copies IcedID to AppDataLocalTemp and loads it via rundll32, with a scheduled task created for persistence.
  • Post-exploitation includes heavy credential dumping (Mimikatz, LSASS memory dumps) and AD reconnaissance using ADGet/AdFind and RSAT tools.
  • Cobalt Strike beacons are deployed widely, with multiple DLLs and PowerShell-based payloads, often executed via rundll32/regsvr32 and WMIC.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – “The ISO file was delivered to the victim as part of a malspam campaign.”
  • [T1218.010] Rundll32 – “the end user… clicking on the LNK file executes the batch file, which copies the IcedID payload to the user’s AppDataLocalTemp folder and loads it using rundll32.”
  • [T1218.011] Regsvr32 – “the threat actors began with … Cobalt Strike beacon … loaded using regsvr32.exe.”
  • [T1553.005] Mark-of-the-Web Bypass – “Mark-of-the-Web bypass” used to bypass controls on ISO/ZIP delivery.
  • [T1059.003] PowerShell – “PowerShell commands and scripts” and explicit use to load or execute beacons.
  • [T1047] Windows Management Instrumentation – “WMIC to execute PowerShell Cobalt Strike beacons on multiple workstations.”
  • [T1018] Remote System Discovery – “discovery commands using net followed by AdFind” to map the environment.
  • [T1033] System Owner/User Discovery – “discovery commands using Windows utilities … to discover domain trusts, domain admins, workstation configuration, etc.”
  • [T1124] System Time Discovery – “net time” appears in LOLBAS-like LOL commands used during discovery.
  • [T1083] File and Directory Discovery – “dir” commands and listing files on hosts.
  • [T1003.001] LSASS Memory – “ProcDump was used to dump LSASS memory.”
  • [T1003.006] DCSync – “DCSync activities on one of the domain controllers.”
  • [T1047] Windows Management Instrumentation (WMIC) – “wmic.exe in order to execute PowerShell Cobalt Strike beacons”.
  • [T1021.001] Remote Desktop Protocol – “RDP into the domain controller” to establish presence and spawn beacons.
  • [T1570] Lateral Tool Transfer – “copying their Cobalt Strike DLL over to the host and executing it via a remote service”.
  • [T1021.006] Windows Remote Management – “RSAT tools installed … remote commands via WMIC/WMI”.
  • [T1071.001] Web Protocols – TLS C2 traffic and domain/TLS indicators observed on port 443.
  • [T1567.002] Exfiltration to Cloud Storage – “Rclone to exfiltrate copies of the backup files to the Mega.io cloud storage service.”
  • [T1486] Data Encrypted for Impact – “All domain joined systems were encrypted with Quantum ransomware.”

Indicators of Compromise

  • [IP] 64.227.12.180:80 – first IcedID C2 call and malware configuration reference.
  • [IP] 5.196.103.145:443 – Cobalt Strike TLS/CS C2 traffic.
  • [IP] 66.63.188.70:443 – CS TLS traffic.
  • [IP] 178.128.85.30:443 – CS TLS traffic.
  • [IP] 5.252.177.10:443 – CS TLS traffic.
  • [IP] 46.101.19.119:443 – CS TLS traffic.
  • [Domain] fazehotafa.com – CS beacon domain.
  • [Domain] guteyutu.com – CS beacon domain.
  • [Domain] choifejuce.lol – CS beacon domain.
  • [Domain] opiransiuera.com – CS beacon domain.
  • [Domain] erinindiaka.quest – CS beacon domain.
  • [Domain] zoomersoidfor.com – CS beacon domain.
  • [Domain] considerf.info – CS beacon domain.
  • [Domain] antiflamez.bar – CS beacon domain.
  • [Domain] www.onlinecloud.cloud – CS beacon domain.
  • [File] documents.lnk – LNK payload in ISO bundle.
  • [File] eyewear.bat – batch file used to move DLL and invoke rundll32.
  • [File] Utucka.dll – Cobalt Strike DLL loaded by a scheduled task.
  • [File] locker_64.exe – ransomware drop/executable (renamed and run).
  • [Hash] 1af7a0e058ce1b63b138a1425a835561 – sample MD5-like hash example from the archive.
  • [Hash] 66b8da857c6dc45dea3a9fb17a503b3c2d203245 – another sample hash from the archive.
  • [Tool/Software] IcedID, Cobalt Strike, Mimikatz, ADGet, AdFind, RSAT, AnyDesk, Splashtop, Atera – observed tooling and remote access software.

Read more: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint