Threat Research

Team Cymru: From Chile with Malware – Tech Company Insights

Securonix

Team Cymru tracks infrastructure linked to the IcedID threat, revealing a Chilean IP involved in accessing IcedID BackConnect/C2 activity and related DNS services. The findings show a network of domains, VPN usage, and tools frequently associated with IcedID operations and possible Conti/LockBit activity. #IcedID #BackConnect

Keypoints

  • Identification of a Chilean geolocated IP used to access various elements of the IcedID infrastructure.
  • The Chilean IP resides in 216.73.159.0/24 and is used to host IcedID Bot C2 infrastructure on separate IPs.
  • Threat telemetry shows consistent connections from the Chilean IP to a Netherlands-hosted set used by two IcedID-connected domains.
  • Web browsing activity from the Chilean IP indicates interest in DNS-related services and links to Conti/LockBit ransomware ecosystems.
  • The Chilean IP is tied to Zappie Host (NZ VPS) with 216.73.159.0/24, geolocated to Chile, regularly hosting IcedID Bot C2 infrastructure.
  • There were periodic activity drops around holidays; WireGuard VPN was used through Dec 2022, shifting to OpenVPN in Jan 2023, hinting at a shared infrastructure playbook.
  • Evidence of Loader/C2 activity via 168.100.8.93:443 and related domains, with domain names exhibiting typical IcedID nomenclature and potential development/testing use.

MITRE Techniques

  • [T1090] Proxy – Use of SOCKS proxy module to reach infrastructure – β€œthe same remote port, associated with the SOCKS proxy module.”
  • [T1133] External Remote Services – VPN-based access to Chilean IP (WireGuard then OpenVPN) – β€œuse of WireGuard VPN to access the Chilean IP; up to 12 December 2022. When activity returned in January 2023 this changed to OpenVPN.”
  • [T1071.004] DNS – Engagement with DNS-related services and domains linked to threat activity – β€œWith an apparent interest in DNS and visits to services noted for association with Conti and LockBit ransomware.”
  • [T1105] Ingress Tool Transfer – IcedID downloads and deploys additional malware such as Cobalt Strike – β€œdownload and deploy additional malware such as Cobalt Strike.”
  • [T1071.001] Web Protocols – Extensive HTTPS/TCP connections to numerous destinations as part of C2 activity – β€œthe Chilean IP has communicated with dozens of other IP addresses over TCP/443 (HTTPS).”

Indicators of Compromise

  • [IP Address] IcedID Bot C2 infrastructure in 216.73.159.0/24 – 216.73.159.132, 216.73.159.134, and 2 more IPs in the block
  • [IP Address] Other BackConnect/C2 activity hosts – 5.196.196.252, 168.100.8.93
  • [Domain] IcedID-related domains – neonmilkustaers[.]com, svoykbragudern[.]com, and 4 more domains

Read more: https://www.team-cymru.com/post/from-chile-with-malware