# IcedID to Cobalt Strike In Under 20 Minutes

**[esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes](https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes)**

[Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with](https://www.esentire.com/what-we-do/security-operations-center)
Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to
threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our
space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat
Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU
team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent
threat investigation. We outline how we responded to the confirmed threat and what
recommendations we have going forward.

**Here’s the latest from our TRU Team…**

## What did we find?

We identified IcedID malware attempting to load Cobalt Strike within 20 minutes of
initial infection.


-----

[As noted in the June 2021 TRU Positive, IcedID is a modular banking trojan and](https://www.esentire.com/blog/icedid-malware)
precursor to hands-on-intrusions and ransomware attacks.
The incident started with the victim unwittingly mounting and executing the contents of
an ISO file delivered through email.

This technique uses a disk image (.iso) containing a shortcut and hidden files.
[When clicked, the shortcut command uses the regsvr32 lolbin to execute the](https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/)
IcedID payload hidden within the mounted image container.
Once executed, IcedID immediately performs discovery commands to capture the
system, domain, and networking information. These are common commands executed
by precursor malware and are likely used to prioritize footholds for further intrusion
actions.
Less than 20 minutes from initial infection, the host executed remote PowerShell
commands to deploy a Cobalt Strike stager.

_Figure 1 Endpoint View Showing IcedID Execution, Discovery Commands and Cobalt Strike_
_Execution via PowerShell_


-----

_Figure 2 Timeline of Events from IcedID Infection to Cobalt Strike_

_Figure 3 Cobalt Strike PowerShell Stager_

## How did we find it?

Our Machine Learning PowerShell classifier identified the malicious Cobalt Strike
PowerShell command.
MDR for Network disrupted and alerted on the IcedID C2 traffic.

## What did we do?

Our 24/7 SOC alerted the customer, and the host was contained.

## What can you learn from this TRU positive?

Ransomware precursor threats such as IcedID, Emotet and Qakbot must be identified
and contained before the host is used as a foothold for further attacks.


-----

Adversaries are streamlining attacks to account for defender reaction times.

In December 2021, Emotet was observed directly deploying Cobalt Strike
beacons to expedite intrusion actions. This was a departure from historical
observations where malware such as Trickbot was deployed prior to Cobalt
Strike.
[IcedID has been documented loading Cobalt Strike as recently as January 2022.](https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/)
In this case, the rapid deployment of Cobalt Strike stager suggests that an
interactive intrusion was imminent.
Adversaries are using alternative techniques (e.g., .iso containers) to macro-based
execution in malicious documents.

This is likely in response to Microsoft’s recent announcement of blocking macros
[by default in internet-sourced files starting in 2022.](https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805)

## Recommendations from our Threat Response Unit (TRU) Team:

Loader malware attempts to install other malware, so the priority should be to identify and
investigate the presence of follow-on malware on systems. In addition, we recommend:

[Display file extensions for known file types and consider showing hidden files to users](https://www.bleepingcomputer.com/news/microsoft/hiding-windows-file-extensions-is-a-security-risk-enable-now/)
by default.
Conduct [Managed Phishing and Security Awareness Training on a regular basis. Warn](https://www.esentire.com/resources/library/managed-phishing-and-security-awareness-training)
users about the threat posed by scripts (e.g. JavaScript or VBScript) and image files
(.iso) attached or linked in emails.
Employ email filtering and protection measures.

Block or quarantine email attachments such as EXEs, Password Protected ZIPs,
JavaScript, Visual Basic scripts.
Implement anti-spoofing measures such as DMARC and SPF.
Employ an MFA solution to reduce impact of compromised credentials.
Train users to identify and report suspicious emails.
Protect endpoints against malware.

Ensure antivirus signatures are up-to-date.
Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product
to detect and contain threats.
Limit or disable macros across the organization. See UK's National Cyber
Centre guidance on Macro Security.

## Ask Yourself…

1. Is your malware identification and remediation process agile enough to disrupt follow
on attacks stemming from loader malware?
2. What level of visibility do you have across your network, endpoint and overall

environment to detect malicious behavior at scale?
3. What tools are you employing for email filtering and how is that activity monitored?


-----

4. What level of managed endpoint support do you have in place?
5. Are you monitoring your endpoints 24/7 and what degree of control do you have to

initiate a kill switch when required?

## Indicators of Compromise

**Value** **Description**

51[.]89[.]73[.]150 IcedID C2

194[.]15[.]112[.]23 IcedID C2

149[.]3[.]170[.]104 IcedID C2

cooldogblunts[.]com IcedID C2

reseptors[.]com IcedID C2

coolbearblunts[.]com IcedID C2

88[.]119[.]161[.]88 IcedID

934a3c540bb7224f9e0f6229b7dbe00b IcedID

http://162[.]33[.]179[.]178/pasdphaiusfoifds PowerShell Download Cradle for Cobalt
Strike

0ab07147f62d8daabb591c7b4ccb4187 PowerShell Download Cradle for Cobalt
Strike

http://162[.]33[.]179[.]178/asdhodihsa Cobalt Strike PowerShell Stager

a1702eceb019352298b88b2011bfe8af Cobalt Strike PowerShell Stager

162[.]33[.]178[.]218 Cobalt Strike

jquerysearchengine[.]com Cobalt Strike

162[.]33[.]179[.]178 Cobalt Strike

If you’re not currently engaged with a Managed Detection and Response provider, we highly
recommend you partner with us for security services in order to disrupt threats before they
impact your business.

[Want to learn more? Connect with an eSentire Security Specialist.](https://www.esentire.com/get-started)

|Value|Description|
|---|---|
|51[.]89[.]73[.]150|IcedID C2|
|194[.]15[.]112[.]23|IcedID C2|
|149[.]3[.]170[.]104|IcedID C2|
|cooldogblunts[.]com|IcedID C2|
|reseptors[.]com|IcedID C2|
|coolbearblunts[.]com|IcedID C2|
|88[.]119[.]161[.]88|IcedID|
|934a3c540bb7224f9e0f6229b7dbe00b|IcedID|
|http://162[.]33[.]179[.]178/pasdphaiusfoifds|PowerShell Download Cradle for Cobalt Strike|
|0ab07147f62d8daabb591c7b4ccb4187|PowerShell Download Cradle for Cobalt Strike|
|http://162[.]33[.]179[.]178/asdhodihsa|Cobalt Strike PowerShell Stager|
|a1702eceb019352298b88b2011bfe8af|Cobalt Strike PowerShell Stager|
|162[.]33[.]178[.]218|Cobalt Strike|
|jquerysearchengine[.]com|Cobalt Strike|
|162[.]33[.]179[.]178|Cobalt Strike|


-----