Threat Research

IcedID (Bokbot) with Dark VNC and Cobalt Strike

Securonix

TA551/Monster Libra (aka SVCReady) has been distributing IcedID (Bokbot) alongside SVCReady since 2022, with campaigns that used password-protected archives and ISO images to drop malware and scripts. The infection chain led to DarkVNC activity and Cobalt Strike, employing persistent techniques and HTTPS-based C2 traffic, often with self-signed certificates. #TA551 #MonsterLibra #SVCReady #IcedID #Bokbot #DarkVNC #CobaltStrike #Italy

Keypoints

  • Long-running activity by TA551/Monster Libra targeting Italy, distributing SVCReady and IcedID/Bokbot malware.
  • Password-protected ZIP archives containing an ISO image with a shortcut to run a command script were used to deliver IcedID.
  • The dropper chain loads a Windows JS file that ultimately installs an IcedID DLL, using rundll32.exe for execution.
  • Persistence is achieved via a scheduled task and related binary artifacts (license.dat, Olfann64.dll, etc.).
  • DarkVNC activity and Cobalt Strike beacons are used post-compromise, with HTTPS C2 traffic and self-signed certificates observed.
  • IOCs include multiple SHA-256 hashes, file names, paths, and network indicators (domains/IPs) linked to the campaign.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – “Password-protected zip archive contains malicious ISO image” used to deliver IcedID. “Password-protected zip archive found through VirusTotal contains ISO file with shortcut to run command script.”
  • [T1021.005] Remote Services – VNC – “DarkVNC activity” observed as part of post-infection behavior.
  • [T1059.007] JavaScript – “Windows shortcut runs .js file, which then runs a DLL to install IcedID malware.”
  • [T1053.005] Scheduled Task – “Scheduled task after IcedID is persistent on the infected Windows host.”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – “Run method: rundll32.exe [filename],#1”
  • [T1071.001] Web Protocols – HTTPS C2 traffic – “HTTPS C2 traffic for IcedID uses self-signed certificates” and related domain/IP indicators.
  • [T1573.001] Encrypted Channel – “Encoded/encrypted traffic generated by DarkVNC malware appears after the IcedID infection.”

Indicators of Compromise

  • [SHA256] – 4b86c52424564e720a809dca94f5540fcddac10cb57618b44d693e49fd38c0a5 – Context: Password-protected archive containing malicious ISO image
  • [SHA256] – d9a7ce532ee39918815f9dd03d0b4961ef85dddfd2498759b868e9ed8858a532 – Context: File figures.iso containing files for IcedID infection
  • [SHA256] – 4661a789c199544197a7d3ccfedb51ec95393641fb44875c92cf6c2c4a40fc1d – Context: File statistics.lnk Windows shortcut to run IcedID installer
  • [SHA256] – eef2684a47bbadf954f3bc06b3611989447f1b5cfd47cdeacb38321987b3565c – Context: Script meEDGwfAE.cmd runs the above JS file
  • [SHA256] – df66d308065919c5d45f6c9b718b1a7c58f9e461488bbef850c924728f053b14 – Context: JS file mePGJqfV.js runs the IcedID installer DLL
  • [SHA256] – f53321d9a70050759f1d3d21e4748f6e9432bf2bc476f294e6345f67e6c56c3e – Context: DLL met1OvWm.dat – 64-bit DLL to install IcedID
  • [SHA256] – a15ae5482b31140220bb75ce2e6c53aaafe3dc702784a0d235a77668e3b0a69a – Context: Another 64-bit DLL to install IcedID (not used for this infection)
  • [SHA256] – 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7 – Context: Olfann64.dll – persistent IcedID DLL
  • [SHA256] – a7a0025d77b576bcdaf8b05df362e53a748b64b51dd5ec5d20cf289a38e38d56 – Context: license.dat data binary used to run the persistent IcedID DLL
  • [URL] – http://tritehairs[.]com/ – Context: gzip binary from tritehairs[.]com used to create persistent IcedID 64-bit DLL and license.dat
  • [File location] – C:Users[username]AppDataLocal{A42A69E9-9159-9F0A-BB24-F9DAA57621A1}Olfann64.dll – Context: persistent IcedID 64-bit DLL
  • [File location] – C:Users[username]AppDataRoamingFlightQuarterlicense.dat – Context: data binary used to run the persistent IcedID DLL
  • [File location] – C:Users[username]AppDataLocalTempYuicku32.dll – Context: 64-bit DLL for Cobalt Strike
  • [URL] – hxxp://tritehairs[.]com/ – Context: gzip binary from this site used in the dropper
  • [IP] – 159.203.45[.]144:80 – Context: GET / from tritehairs[.]com
  • [IP] – 46.21.153[.]211:443 – Context: IcedID HTTPS C2 traffic to peranistaer[.]top and wiandukachelly[.]com
  • [IP] – 178.33.187[.]139:443 – Context: IcedID HTTPS C2 traffic to alohasockstaina[.]com and gruvihabralo[.]nl
  • [IP] – 135.181.175[.]108:8080 – Context: DarkVNC traffic (encoded/encrypted)
  • [URL] – 108.177.235[.]8:80 – Context: Cobalt Strike HTTPS C2 traffic to lufuyadehi[.]com
  • [URL] – 108.62.118[.]133:443 – Context: Cobalt Strike HTTPS traffic to zuyonijobo[.]com

Read more: https://isc.sans.edu/diary/rss/28884