Threat Research

From IcedID to Dagon Locker Ransomware in 29 Days – The DFIR Report

TheDFIR

The DFIR Report chronicles a 29‑day intrusion that began with an IcedID phishing campaign and culminated in Dagon Locker ransomware, using Cobalt Strike beacons and a bespoke AWSCollector PowerShell tool for discovery, lateral movement, and data exfiltration. It also highlights extensive persistence, credential access, and defense‑evading techniques across a multi‑stage operation. #IcedID #DagonLocker #PrometheusTDS #CobaltStrike #AWSCollector #AnyDesk #AdFind #Rclone

Keypoints

  • Phishing campaign in August 2023 used PrometheusTDS to distribute IcedID malware to targets.
  • IcedID dropped a Cobalt Strike beacon after initial infections, enabling continued intrusion and exploration.
  • A bespoke PowerShell tool named AWScollector facilitated discovery, lateral movement, data exfiltration, and ransomware deployment.
  • Group Policy was used to push Cobalt Strike beacons at login for a privileged user group, enabling persistence.
  • A wide toolset (Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, AdFind) supported the attackers’ operations.
  • The operation ended with domain‑wide ransomware (Dagon Locker) on day 29, after 29 days of activity and a TTR of 684 hours.

MITRE Techniques

  • [T1566.002] Phishing – “In August 2023 we observed a phishing campaign that distributed IcedID malware. This phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware.”
  • [T1105] Ingress Tool Transfer – “A bat file was created using a curl command to download the IcedID payload from moashraya[.]com.”
  • [T1059.001] PowerShell – “the Cobalt Strike beacon was staged on the temporary file‑sharing website, file.io, and was downloaded to the infected host using PowerShell.”
  • [T1055.003] APC Injection – “Early Bird APC Queue process injection technique” (memory of shellcode injected via APC).
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – “rundll32.exe” update.dll,HTVIyKUVoTzv” and related usage to run code from a downloaded payload.
  • [T1021.002] SMB/Windows Admin Shares – “transferred a Cobalt Strike beacon to a domain controller using the SMB protocol.”
  • [T1021.004] Windows Remote Management (WinRM) / PowerShell Remoting – “PowerShell Remoting using the jump winrm and remote PowerShell sessions.”
  • [T1047] Windows Management Instrumentation (WMI) – “WMIC discovery and remote execution via WMI and related tooling.”
  • [T1082] System Information Discovery – “discovery commands to gather system information.”
  • [T1083] File and Directory Discovery – “ShareFinder/AdFind to enumerate network shares and documents with passwords.”
  • [T1053.005] Scheduled Task – “initial IcedID persistence created a scheduled task for persistence.”
  • [T1562.001] Disable or Modify System Firewall / Defender – “Set-MpPreference -DisableRealtimeMonitoring $true.”
  • [T1003.001] LSASS Memory – “LSASS credential dump via Mimikatz techniques.”
  • [T1027.001] Obfuscated/Compressed Data: JavaScript Obfuscation – “Document_Scan_468.js used simple obfuscation by chunking commands.”
  • [T1486] Data Encrypted for Impact – “Dagon Locker ransomware deployed across the environment.”
  • [T1567.002] Exfiltration to Cloud Storage – “AWS S3 bucket exfiltration via AWScollector.”
  • [T1135] Network Share Discovery – “Invoke-ShareFinder and in‑memory discovery to enumerate shares.”

Indicators of Compromise

  • [IP] C2 and malicious activity IPs – 151.236.9.176, 159.223.95.82, 194.58.68.187 (associated with domain names ewacootili.com, ultrascihictur.com, magiraptoy.com)
  • [Domain] IcedID and Cobalt Strike related domains – ewacootili.com, ultrascihictur.com, magiraptoy.com, moashraya.com
  • [URL/Resource] File hosting for C2 beacons – file.io (Cobalt Strike beacon downloaded via PowerShell)
  • [File hash] SHA256 – f415c7d1b6a19975f2bb09e79f4416975375490fc645865dd63478c8aa605d97
  • [Filename] Document_Scan_468.js; magni.w; magni.w.bat; update.dll
  • [Credential/Config] AWSCollector configuration and AWS S3 buckets used for exfiltration
  • [Certificate] Self‑signed certificates used for C2 masquerading with Amazon branding observed in VT artifacts

Read more: https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint