IcedID Macro Attacks Deploy Nokoyawa Ransomware

IcedID Macro Attacks Deploy Nokoyawa Ransomware

Malicious actors frequently resort to alternative techniques to gain initial access, such as employing diverse file formats and payloads. It is important to highlight that they still actively use VBA macros embedded within Office documents to infiltrate target systems.

IcedID Macro

Researchers from the DFIR Report have observed attacks that commenced with a malicious Excel document, possibly delivered during a malicious email campaign in October 2022.

The macros would be executed when a user clicks on an embedded image in the Excel document. The purpose of the macro code was to download an IcedID DLL payload on disk. The macro then executed the IcedID DLL using a renamed rundll32 binary.

After its initial execution, the IcedID malware loaded several Cobalt Strike beacons on the compromised host. The beacons enabled the threat actors to elevate their privileges to SYSTEM and extract the LSASS (Local Security Authority Subsystem Service) memory. 

The threat actors returned to gather information about domain computers and privileged user accounts on the Domain Controller. They also escalated privileges using named pipe impersonation.Next, the threat actors began spreading laterally through the network, utilizing a combination of Cobalt Strike beacon DLLs, batch scripts, and WMI (Windows Management Instrumentation) commands. They engaged in credential dumping, executed additional Windows discovery commands, and checked RDP access across the environment.

After approximately 23 hours of inactivity, the threat actors initiated the final phase of the intrusion. They connected to a compromised server via RDP, utilizing it as a staging ground for the ransomware deployment. The actors deployed the ransomware payload, Sysinternals PsExec, and a cluster of batch files (1.bat-6.bat and p.bat). By executing these batch files through PsExec and WMI, they distributed the ransomware payload to all domain joined hosts.

However, no ransom was paid as a result of this incident.


Cobalt Strike
50.3.132[.]232:8081 / iconnectgs[.]com
23.29.115[.]152:757 / aicsoftware[.]com
23.29.115[.]152:8080 / aicsoftware[.]com

Powershell Cobalt Strike Downloader

IcedID Excel Download URL https://simipimi[.]com IcedID C2 kicknocisd[.]com 159.65.169[.]200 45.66.248[.]119:443 /  guaracheza[.]pics |  belliecow[.]wiki /  curabiebarristie[.]com |  stayersa[.]art BackConnect 137.74.104[.]108:8080 

1.bat b5db398832461be8d93fdbda120088aa   b36748a27b8e68710701286106ad434c9afea6fa   30a334da51d22b2fe6e33970df8d0f81396394de9d3a3c224751aacb2202b0db   1.dll 9740f2b8aeacc180d32fc79c46333178   c599c32d6674c01d65bff6c7710e94b6d1f36869   d3db55cd5677b176eb837a536b53ed8c5eabbfd68f64b88dd083dc9ce9ffb64e   4_202210250456866742.xls d3032968085db665381d9cbd3569f330   9230520c6dd215e2152bb2e56b2a5d6b45ae8e13   eb84a283ff58906786d63ffe43a8ff2728584428f5f7d9972c664f63f8790113   7030270 964c94b217d102e53a227bcbc94ae52e   b846e89d0f56851696d50b5e64c6e758ddae3e6a   091886c95ca946aedee24b7c751b5067c5ac875923caba4d3cc9d961efadb65d k.exe 40c9dc2897b6b348da88b23deb0d3952   0f5457b123e60636623f585cc2bf2729f13a95d6   7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!