Unit 42 on X: "2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at https://t.co/6Lq21bO2zP - Thanks to @drb_ra, @teamcymru_S2 & @pr0xylife for previous tweets related to this activity! https://t.co/2nxAVEaKEQ" / X

Post

2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @teamcymru_S2 & @pr0xylife for previous tweets related to this activity!

Wireshark pcap showing IcedID installer retrieving Gzip binary, IcedID C2 traffic, IcedID BackConnect traffic, and where Cobalt Strike traffic starts

IcedID BackConnect Traffic

IcedID BackConnect Traffic, Command for Cobalt Strike

IcedID BackConnect Traffic

5:55 PM · Feb 27, 202311.7KViews