Project Hyphae

IcedID with Cobalt Strike and Dark VPN

Share This Post

IcedID has been being seen quite a bit in the wild recently. Brad Duncan, Threat Intelligence Analyst at Palo Alto Networks, has shared a blog on SANS reviewing the a recent IcedID infection which lead to Dark VPN activity and Cobalt Strike.

IcedID had it’s start as a modular banking trojan aimed at stealing user financial information, but is also capable and has been being used as a dropper for other malware. IcedID has been recently seen coming within a password protected ZIP attachment, which contains an ISO image containing the hidden malware, but previously has also been seen as a secondary payload to other droppers, such as Emotet.

With it’s popularity recently, IcedID is definitely a piece of malware defenders need to be aware of, and sharpen up on ways to detect it in their environments.

Brad Duncan’s post and included IoCs can be found here:

Reach out to our incident response team for help

More To Explore

Information Security News 11-27-2023

East Texas Hospital Network Can’t Receive Ambulances Because of Potential Cybersecurity Incident Article Link: Canadian Government Discloses Data Breach After Contractor Hacks Article Link:

Information Security News 11-20-2023

PJ&A Says Cyberattack Exposed Data of Nearly 9 Million Patients Article Link: Google Workspace Weaknesses Allow Plaintext Password Theft Article Link: New York

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.