IcedID

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads.

Proofpoint researchers have observed Bumblebee being distributed in email campaigns by at least three tracked threat actors.

The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.

A smaller subset of entries mention attachments or PDFs containing malicious links, such as 'Wizard Spider has used spearphishing attachments to deliver ... PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar' and 'XLoader has been delivered as a phishing attachment, including PDFs with embedded links.'

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

When the Excel macros are enabled, the BazarCall malware will be downloaded and executed on the victim's computer.

The content repeatedly mentions malicious macros in Word/Excel documents, such as "enable macros," "embedded macros," and "macro-enabled documents."

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.

These included copying rundll32 and a malicious DLL from within the ISO to the host, before executing the malware.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies... If an attacker can compromise a device and extract the browser cookies, they could pass that cookie into a separate web browser on another system, bypassing security checkpoints along the way.

Infostealers live in infected computers and gather information, allowing attackers to exploit organizations and obtain credentials.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies... “Pass-the-cookie” is like pass-the-hash or pass-the-ticket attacks in Active Directory.

Infostealers live in infected computers and gather information, allowing attackers to exploit organizations and obtain credentials.

Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

BUMBLEBEE has been observed to download and execute different malicious payloads such as Cobalt Strike beacons... NCC Group’s RIFT has observed mostly Cobalt Strike and Meterpeter being sent as tasks. However, third parties have confirmed the drop of Sliver and Bokbot payloads.

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.