#icedid — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #icedid, aggregated by home.social.
-
‘Operation Endgame’ Hits Malware Delivery Platforms
https://krebsonsecurity.com/2024/05/operation-endgame-hits-malware-delivery-platforms/
#Ne'er-Do-WellNews #OperationEndgame #TheComingStorm #MattBurgess #Smokeloader #Ransomware #trickbot #Europol #LockBit #IcedID #911S5
-
‘Operation Endgame’ Hits Malware Delivery Platforms https://krebsonsecurity.com/2024/05/operation-endgame-hits-malware-delivery-platforms/ #Ne'er-Do-WellNews #OperationEndgame #TheComingStorm #MattBurgess #Smokeloader #Ransomware #trickbot #Europol #LockBit #IcedID #911S5
-
We are proud to announce that Sekoia #TDR team contributed to the joint international law enforcement operation #OperationEndgame, targeting the notorious botnets #IcedID, #Smokeloader, #SystemBC and #Pikabot
-
Operation Endgame - Largest Ever Operation Against Botnets Hits Dropper Malware Ecosystem
Date: May 30, 2024
CVE: Not specified
Vulnerability Type: Malware
CWE: [[CWE-94]], [[CWE-502]]
Sources: Europol News, Eurojust NewsIssue Summary
Europol, in coordination with law enforcement agencies from multiple countries, conducted the largest ever operation targeting botnets. This operation, dubbed "Operation Endgame," took place from May 27 to 29, 2024, and led to the disruption of major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. The effort resulted in four arrests and the takedown of over 100 servers worldwide. These droppers were used to facilitate ransomware and other cyber-attacks by installing additional malware onto target systems. The operation was supported by Eurojust and involved contributions from countries including France, Germany, the Netherlands, Denmark, the UK, the US, and others. Private partners also played a role in the operation, which aimed to dismantle the infrastructure supporting these malicious activities. The success of this operation marks a significant step in combating cybercrime on a global scale.
Operation Endgame, coordinated by Europol, dismantled several major botnets including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. This international effort involved law enforcement agencies from multiple countries and led to the arrest of four individuals and the takedown of over 100 servers. The botnets targeted facilitated ransomware and other cyber-attacks.
Technical Key Findings
The malware droppers involved are designed to infiltrate systems and install additional malware, often avoiding detection through sophisticated evasion techniques. These droppers were used to deploy ransomware and other malicious payloads by bypassing security measures and enabling further system compromises.
Vulnerable Products
The operation did not specify particular products but targeted the infrastructures supporting droppers like IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee.
Impact Assessment
If abused, these vulnerabilities could lead to widespread ransomware attacks, financial losses, and significant disruption of services. The infrastructure taken down had facilitated numerous cyber-attacks globally, highlighting the severe impact on cybersecurity.
Patches or Workaround
The report did not mention specific patches or workarounds. However, continuous monitoring and updating of security measures are recommended to protect against such threats.
Tags
#Botnets #Malware #Ransomware #Cybersecurity #Europol #OperationEndgame #Cybercrime #IcedID #SystemBC #Pikabot #Smokeloader #Bumblebee
-
We are proud to announce that we assisted the joint international law enforcement operation #OperationEndgame, targeting the notorious botnets #IcedID, #Smokeloader, #SystemBC and #Pikabot 🔥
abuse.ch has provided key infrastructure to LEA and internal partners to disrupt these botnet operations 🛑
More information on the operation is available here:
👉 https://operation-endgame.com/ -
🚨#IcedID, #Smokeloader, #SystemBC, #Pikabot and #Bumblebee botnets have been disrupted by Operation Endgame!! This is the largest operation EVER against botnets involved with ransomware, with gargantuan thanks to a coordinated effort led by international agencies 👏👏
As with the #Qakbot and #Emotet takedowns, Spamhaus are again providing remediation support - those affected will be contacted from today with steps to take.
👉 For more information, read our write-up here: https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/
-
New Latrodectus Downloader Malware Linked to IcedID and Qbot Creators https://www.hackread.com/latrodectus-downloader-malware-icedid-qbot/ #Latrodectus #BlackBasta #Ransomware #Security #Malware #IcedID #TA577 #TA588 #QBot
-
Proofpoint and Team Cymru collaborated on a report on Latrodectus malware. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. It first appeared in email threat campaigns in late November 2023. Latrodectus shares infrastructure overlap with historic IcedID operations. It is being distributed by financially motivated TA577, as well as TA578. Proofpoint provides malware analysis, C2 infrastructure, links to IcedID, and list of IOC. 🔗 https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
#Latrodectus #threatintel #IcedID ##IOC #TA577 #TA578 #cybercrime
-
Here’s what CapLoader’s Alerts tab looks like after loading 2023-10-16-IcedID-infection.pcap from @malware_traffic. The malicious protocol alerts for GzipLoader, #BackConnect and #IcedID over TLS are obvious indicators of IcedID. But what about the periodic connections made every 5 minutes?
https://netresec.com/?b=23B6bcd -
Quick #malware analysis: #ICEDID variant with #BACKCONNECT, #ANUBIS #VNC, #COBALTSTRIKE & #SCREENCONNECT pcap from 2023-10-18
Thanks to
@malware_traffic
for sharing this #pcap!More details:
https://blog.securityonion.net/2023/11/quick-malware-analysis-icedid-variant.html -
Here's the decrypted #IcedID #BackConnect traffic from @malware_traffic latest #PCAP. It was just a bunch of "SLEEP 60 seconds" commands this time 😞
-
Attacker launches #BackConnect C2 on #IcedID infected machine and starts a reverse VNC session. The VNC session is used to download #CobaltStrike binary http64.exe from 85.209.11.48 and save it as “http.exe”. Cobalt Strike beacon is then executed from the command line.
For more details and the original #pcap file, see @malware_traffic’s toot here:
https://infosec.exchange/@malware_traffic/111267554603030001 -
This #IcedID #BackConnect C2 server keeps telling the bot to sleep for 60 seconds. This goes on for 3 hours. No reverse shell, no VNC, no file manager 😿
HELLO #TA577, IT’S TIME TO WAKE UP!!
-
NetworkMiner 2.8.1 released today! It now extracts:
🖥️ #VNC desktop graphics
🐀 #njRAT transfers and screenshots
🧊 #IcedID reverse VNC graphics
⌨️ #IcedID reverse VNC keylog
📂 #BackConnect file uploads
https://netresec.com/?b=23A41e6 -
Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f
The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats
The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)
An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/
Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats
Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats
Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0
#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber
-
Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023
The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.
Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.
Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.
There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.
The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.
Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.
There's lots to dig through before starting your work week, so get started here:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2
-
Catch up on everything cyber with this week's edition of our SOC Goulash newsletter!:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-373
Images which were redacted or cropped on Google Pixel devices or using the Windows Snipping Tool can be reversed and sensitive data revealed. The bug, dubbed "Acropalypse", may have been fixed but any existing images - be they bank details, nudes, or confidential company information - remain up for grabs.
#Hacktivists launched a week-long, coordinated attack on Australian banks, hospitals, airports and more, in retaliation for an offensive submission by an Australian designer at the Melbourne Fashion Festival, of all things.
The takedown of #BreachForums was made official last week, with the subsequent disarray demonstrating that continued law enforcement action is succeeding in capitalising on the mistrust inherent to the cyber crime ecosystem.
A significant vulnerability in the #WooCommerce Payments plugin can let attackers takeover #WordPress sites, and a PoC #exploit has been released publicly for a vulnerability in #Veeam's backup software.
The #blueteam had a great week, with CISA releasing a tool that helps grab #Azure, #M365 and the #Defender suite telemetry to help run ad hoc investigations; #Splunk shared an awesome defensive guide to #ADCS attacks, and we've seen a bunch of great write-ups on #IcedID, #ASyncRAT, and more!
Catch all this and much more in this week's newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-373
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #acropalypse #OpAustralia #darkweb #CISA
-
🔎 IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole
A summary of #VNC #backdoor capabilities reconstructed from network traffic.
👀 Screenshots, videos and clipboard data at https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/
#Malware #PCAP #Reversing #DarkCat #Anubis #Keyhole #DarkVNC #IcedID #Karakurt #BlackBasta
-
#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?
Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2
Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars
Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout
Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors
#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam
-
Bonjour #IcedID #BackConnect!
We've spotted a new C2 server being set up on:
5.196.196.252 (🇫🇷)
Expect to see this IP in infection chains in the coming days / hours.
#Recon 👀
cc @netresec
-
Sophos has observed new IcedID #malvertizing campaigns themed around adobe & other popular software packages
🧊 Infection Chain:
➡️ Google search for "adobe reader"
↪️ Google ad click
↪️ TDS redirect: `likhs299us[.]tech`
🎣 Fake website: vvw-adobe[.]top
↪️ Download of malware from firebase (.zip containing a .iso)
🗄️ Setup_Win_<timestamp>.zip / Setup_Win_<timestamp>.iso#IcedID C2: plivetrakoy[.]com
#IOCs:
🔗 https://www.virustotal.com/gui/file/be9ac59a6b2ea2bf55a57aec8a993a9ff77e5f6ad92531ff3cdbb7ac35295cef/content
🔗 https://www.virustotal.com/gui/ip-address/46.173.218.229/relations
#ThreatIntel #Malware #CTI -
Sophos has observed new #IcedID activity stemming from malvertizing.
Infection Chain:
➡️ Google search for “slack”
↪️ Malicious ad click #malvertizing
↪️ Redirect 1: dasaert[.]fun/slack/index[.]php
↪️ Redirect 2: www-slack[.]top/downloads/windows/ (Registrar: AS29470 🇷🇺)
➡️ Download:setup_win_13-12-2022_17-15-46.zip, which contained the filesetup_win_13-12-2022_17-15-46.msiRundll32 was then invoked, referencing a DLL staged under
%APPDATA%\Local\Temp\tmp*.dllConnections initiated with the C2 server: 143.198.92[.]88 (resolving to domain estrabornhot[.]com)
Seemingly related lure sites can be found via URLScan - https://urlscan.io/search/#www-*.top