Threat Research

Unveiling the IcedID BackConnect Protocol: Team Cymru Reveals

Securonix

Team Cymru analyzes IcedID’s BackConnect protocol and uncovers how operators repurpose infected hosts as proxies to support distributed C2 activity, including VPN/Starlink/Tor-based routing and remote-access channels. The post also highlights observed tools and infrastructure (VNC, TeamViewer, Telegram, Tor) and traces IPs and auth-value changes that mark BC operations over time. #IcedID #BackConnect #TeamCymru #SpaceXStarlink #Tor #TeamViewer

Keypoints

  • Eleven BackConnect C2 servers have been identified since 01 July 2022, managed via two VPN nodes.
  • Operators are likely located in Moldova and Ukraine, each handling distinct elements of the BC protocol.
  • Evidence of malicious use of the SpaceX Starlink network is identified as part of the BC operations.
  • Two management IPs expose separate channels: a VNC-based remote-access path and a SOCKS/WireGuard-based proxy path, with related tooling and traffic patterns observed.
  • VNC Management traffic often uses UDP/1194 (OpenVPN default) and is linked to a Moldovan residential access point; TeamViewer is also used for remote access.
  • Tor-related activity and Telegram/SMS-related tools (onlinesim.ru, Gofile) are observed as part of operator-era telemetry and workflow.
  • Auth value changes (from 0x974f014a to 0x08088b1f) appear to coincide with BC campaigns around August–September 2022; RDP/RDP-like activity and SSH to cloud IPs are also seen.

MITRE Techniques

  • [T1021.004] Remote Services – VNC – The BC protocol contains a VNC module, providing the malware operator(s) with a remote-access channel which can be brokered for profit. “the BC protocol contains a VNC module, providing the malware operator(s) with a remote-access channel which can be brokered for profit.”
  • [T1021.001] Remote Services – RDP – RDP connections to a set of IPs that share a distinct machine name; used for remote control beyond initial access. “RDP connections to a set of IPs that share a distinct machine name”
  • [T1021.005] Remote Services – TeamViewer – Regular TeamViewer traffic observed, suggesting remote management via TeamViewer servers. “regular traffic to TeamViewer infrastructure was observed, indicating that the software may be installed on the operator’s machine, with usage routed through TeamViewer’s servers.”
  • [T1071] Application Layer Protocol – C2 over TCP/8080 – Victim communications observed over TCP/8080, indicating a C2 channel using application-layer protocols. “evidence of victim communications over TCP/8080.”
  • [T1021.004] SSH – SSH-based cloud access – SSH to cloud infrastructure; cloud IPs share the same SSH server host key, indicating a controlled setup. “cloud IPs displayed the same unique SSH Server Host Key,”
  • [T1090] Proxy – Use of VPN/Tor to route through the infected host – The BC protocol allows the infected host as a proxy; VPN/Tor-based access observed. “the BC protocol allows the threat actor(s) additional functionality, using the infected host as a proxy”
  • [T1090] Proxy – Tor relay communications – Ongoing communications with a single Tor relay, suggesting operator access via the Tor network. “Looking at outbound connections to a single Tor relay …”

Indicators of Compromise

  • [IP] BackConnect C2 servers – 135.125.242.223, 135.181.175.108, and 9 more items (if applicable)
  • [IP] BC management/initial points – 51.89.201.236, and 2 more related IPs observed in the BC infrastructure
  • [Domain] onlinesim[.]ru – Temporary SMS service domain used by operators
  • [Domain] protonmail.com – Used by operators for communications or accounts
  • [Domain] gofile – File-sharing domain involved in operator workflow
  • [Domain] Telegram – Telegram messaging infrastructure observed in operator activity

Read more: https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol