Project Hyphae

IcedID with Cobalt Strike and Dark VPN

Share This Post

IcedID has been being seen quite a bit in the wild recently. Brad Duncan, Threat Intelligence Analyst at Palo Alto Networks, has shared a blog on SANS reviewing the a recent IcedID infection which lead to Dark VPN activity and Cobalt Strike.

IcedID had it’s start as a modular banking trojan aimed at stealing user financial information, but is also capable and has been being used as a dropper for other malware. IcedID has been recently seen coming within a password protected ZIP attachment, which contains an ISO image containing the hidden malware, but previously has also been seen as a secondary payload to other droppers, such as Emotet.

With it’s popularity recently, IcedID is definitely a piece of malware defenders need to be aware of, and sharpen up on ways to detect it in their environments.

Brad Duncan’s post and included IoCs can be found here: https://isc.sans.edu/diary/rss/28884



Reach out to our incident response team for help

More To Explore

Information Security News 11-27-2023

East Texas Hospital Network Can’t Receive Ambulances Because of Potential Cybersecurity Incident Article Link: https://www.cnn.com/2023/11/24/us/east-texas-hospital-cybersecurity/index.html Canadian Government Discloses Data Breach After Contractor Hacks Article Link:

Shane Farmer November 27, 2023

Information Security News 11-20-2023

PJ&A Says Cyberattack Exposed Data of Nearly 9 Million Patients Article Link: https://www.bleepingcomputer.com/news/security/pj-and-a-says-cyberattack-exposed-data-of-nearly-9-million-patients/ Google Workspace Weaknesses Allow Plaintext Password Theft Article Link: https://www.theregister.com/2023/11/15/google_workspace_weaknesses_allow_plaintext/ New York

Shane Farmer November 20, 2023

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.