An IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. IcedID, also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin. The intrusion detailed by Cybereason is no different in that the infection chain begins with an ISO image file contained within a ZIP archive that culminates in the execution of the IcedID payload. The malware then establishes persistence on the host via a scheduled task and communicates with a remote server to download next-stage payloads, including a Cobalt Strike Beacon for follow-on reconnaissance and attack activity.
Link:
https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html