![]() After being successfully mounted (double clicked), the end user only sees a malicious LNK file named documents inside the virtual hard drive. The ISO image delivered a hidden directory containing a IcedID payload and a batch file. This technique has grown in use as threat actors look to evade Mark-of-the-Web controls. Delivering payloads using an ISO image is a common technique observed in several prior cases. ![]() The ISO file was delivered to the victim as part of a malspam campaign. ![]() This intrusion began by the execution of IcedID malware contained within an ISO image. This case shares similarities of the IcedID campaign detailed by, where the ADGet.exe application was referenced. Post exploitation activities detail some familiar and some new techniques and tooling, which led to domain wide ransomware. ![]() This case covers the activity from a campaign in late September of 2022. IcedID continues to deliver malspam emails to facilitate a compromise. ![]()
0 Comments
Leave a Reply. |