Unit 42 on X: "2023-01-12 (Thursday) - #IcedID (#Bokbot) infection leads to #CobaltStrike using fepopeguc[.]com on 185.173.34[.]36:443 for its C2 traffic. List of indicators available at https://t.co/moaBIX2mnN https://t.co/Y5CmGkoInB" / X

Post

2023-01-12 (Thursday) - #IcedID (#Bokbot) infection leads to #CobaltStrike using fepopeguc[.]com on 185.173.34[.]36:443 for its C2 traffic. List of indicators available at bit.ly/3iGadUB

2023-01-12 (Thursday) - IcedID (Bokbot) Activity - email > attached PDF file > password-protected ZIP archive > extracted disk image > Windows shortcut runs hidden DLL > HTTP traffic for gzip binary > license.dat & Persistent IcedID DLL created from gzip binary > HTTPS traffic for IcedID C2 > follow-up activity: Cobalt Strike

Red arrows indicate what happens after opening the document, including the iso that is downloaded, the prompt to enter the password, and the resulting files that are opened

Wireshark pcap showing the Zip download, the GZIP binary, the IcedID C2 traffic, the Cobalt Strike stager and the Cobalt Strike C2 traffic

Certificate for HTTPS traffic from Cobalt Strike server

1:32 AM · Jan 13, 202338.9KViews