Threat Research

A Visualizza into Recent IcedID Campaigns:

Securonix

Team Cymru’s Recon/BARS analysis dissects IcedID (BokBot) campaigns from September 2022, shedding light on Stage 1 downloader C2 infrastructure, delivery chains, and victim telemetry to reveal how threat actors evolve infrastructure across campaigns. The post covers C2 lifecycles, delivery methods (ZIP/ISO/LNK/JS chains, CHM, PrivateLoader), and observed anomalies that hint at behind-the-scenes workflow changes.
#IcedID #BokBot #PrivateLoader #Njalla #1337Services #CobaltStrike #QuantumRansomware

Keypoints

  • IcedID started as a banking trojan (2017) and evolved into a dropper capable of deploying additional malware such as Cobalt Strike, with recent infections leading to Quantum ransomware.
  • The analysis distinguishes Stage 1 C2s (loader infrastructure) from Stage 2 botnet telemetry and tracks how campaigns load IcedID onto victims via lure-driven actions (e.g., enable macros, disguised shortcuts).
  • Stage 1 C2 domains and IPs were historically registered days before use to bypass firewalls, but starting 22 September 2022, many domains were registered only a few days prior, signaling a shift in infrastructure timing.
  • Delivery methods across campaigns include Password Protected ZIP -> ISO -> LNK -> JS -> CMD/BAT -> DLL, CHM variants, and in some cases PrivateLoader, often tied to user interaction with malicious documents.
  • Campaigns varied in scale and geography, with Italian and English targets on 13 September (18 victims each) and larger counts (e.g., up to ~115 victims) observed during 16–21 September, followed by shorter-lived campaigns.
  • Several anomalies emerged (e.g., a 19 September outlier with brief activity and a misconfigured C2 setup on 22–23 September) suggesting operational experimentation or technical issues during the period analyzed.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – “Users received either a malicious Word or Excel file that asked them to enable macros, which then allowed the embedded script to execute and install IcedID.”
  • [T1059.003] Windows Command Shell – “It is typically launched through either a CMD or BAT script, depending on which was included in the archive.”
  • [T1105] Ingress Tool Transfer – “These capabilities enable IcedID to download and deploy additional malware like Cobalt Strike.”
  • [T1071.001] Web Protocols – “C2 communication… port 80 inbound traffic and for T1 -> T2 communications.”
  • [T1583.001] Acquire Infrastructure – “Domains used as Stage 1 downloader C2s were registered with 1337 Services LLC Hosting (connected to the Njalla hosting service) and parked there… As of 22 September 2022, however, domains used as C2s have been registered only a few days prior.”

Indicators of Compromise

  • [IP Address] context – 67.205.169.96, 134.209.97.90, and other C2-related IPs used across campaigns.
  • [Domain] context – aviadronazhed[.]com, qvantumbrakesz[.]com, and other C2 domains observed during the campaigns.

Read more: https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns