2022-07-06-IOCs-for-TA578-contact-forms-IcedID-with-DarkVNC-and-Cobalt-Strike.txt

2022-07-06 (WEDNESDAY) - TA578 CONTACT FORM EMAIL --> ICEDID (BOKBOT) --> DARK VNC & COBALT STRIKE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1544820768256786433

NOTES:

- Sometime in June 2022, the TA578 "contact forms" campaign stopped using storage.googleapis[.]com URLs in their messages.

- Since that time, the TA578 "contact forms" campaign has been using forms.yandex[.]com URLs.

- These forms.yandex[.]com URLs retrieve Stolen_ImagesEvidence.zip files from URLs hosted on firebasestorage.googleapis[.]com.

EXAMPLE OF DOWNLOADED MALWARE FROM LINK IN EMAIL GENERATED FROM WEBSITE'S CONTACT PAGE:

- SHA256 hash: 14e41dbea375f923556a32ea86da94db9b860f8a3abaf6e56ec019febba04c5f
- File size: 488,133 bytes
- File name: Stolen_ImagesEvidence.zip
- File location: hxxps://firebasestorage.googleapis[.]com/v0/b/deft-scout-355009.appspot.com/o/heLG2kRaZE%2FStolen_ImagesEvidence.zip?
                 alt=media&amp;amp;token=06d21941-1fca-44f5-97e1-5037333a065e
- File description: zip archive retrieved from firebasestorage.google.com URL.

- SHA256 hash: 546b6b14652babc58f5792de094dc309a7aea3e69681c40e50f6c23486c8213a
- File size: 2,293,760 bytes
- File name: Stolen_ImagesEvidence.iso
- File description: ISO image extracted from the above zip archive

CONTENTS OF THE ABOVE ISO IMAGE:

- SHA256 hash: 2254ed69e23e3f357b4283a055d0841d77c298c30052113b8e4a841d5b5b66ab
- File size: 2,095 bytes
- File name: documents.lnk
- File description: Windows shortcut to run IcedID installer DLL
- Shortcut: C:\Windows\System32\cmd.exe /c start rundll32.exe hertbe.dll,#1

- SHA256 hash: ca45f4138d2fa57018bad1dc211f33cf096af0ec70963a2e4ea9b4bbd8a57c3f
- File size: 832,000 bytes
- File name: hertbe.dll
- File description: Hidden file, 64-bit DLL for IcedID installer
- Run method: rundll32.exe [filename],#1

FILES RETRIEVED OR CREATED BY ICEDID INSTALLER:

- SHA256 hash: 46c3e2b210cb0b6022994c663df4c7bda2fb4804d7b363d0863718c420abbe2f
- File size: 1,163,675 bytes
- File location: hxxp://carismorth[.]com/
- File description: gzip binary retrieved by IcedID installer

- SHA256 hash: dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed
- File size: 342,186 bytes
- File location: C:\Users\[username]\AppData\Roaming\SwingDamp\license.dat
- File description: Created from gzip file, data binary used to run persistent IcedID DLL

- SHA256 hash: 3fdd148fda01d239032f793c284422e293ec80e89c3e9ce33fe8b002b9126198
- File size: 820,736 bytes
- File location: C:\Users\[username]\AppData\Local\[username]\{0D0826CD-36F5-4739-BCDA-830ABA3BF5D7}\Fupooboe1.dll
- File description: Created from gzip file, persistent IcedID DLL
- Run method: rundll32.exe [filename],#1 --ad="[path to license.dat]"

TRAFFIC FROM AN INFECTED WINDOWS HOST:

URLS USED FOR INITIAL ZIP-ED ISO DOWNLOAD:

- hxxps://forms.yandex[.]com/u/62c3f155d938b02acd2ffef7/success/?w=858456524639516896

- hxxps://firebasestorage.googleapis[.]com/v0/b/deft-scout-355009.appspot.com/o/heLG2kRaZE%2FStolen_ImagesEvidence.zip?
  alt=media&amp;token=06d21941-1fca-44f5-97e1-5037333a065e

HTTP TRAFFIC FOR GZIP BINARY GENERATED BY ICEDID INSTALLER:

- 134.209.107[.]62 port 80 - carismorth[.]com - GET / HTTP/1.1

ICEDID C2 TRAFFIC:

- 92.38.171[.]191 port 443 - uytricmpreprom[.]com - HTTPS traffic
- 92.38.171[.]191 port 443 - feldaxxxx[.]com - HTTPS traffic

UYTRICMPREPROM[.]COM AND FELDAXXXX[.]COM USE SELF-SIGNED CERTIFICATES FOR HTTPS TRAFFIC:

- id-at-commonName=localhost
- id-at-countryName=AU
- id-at-stateOrProvinceName=Some-State
- id-at-organizationName=Internet Widgits Pty Ltd

DARK VNC TRAFFIC:

- 188.40.246[.]37 port 8080 - encoded/encrypted TCP traffic

COBALT STRIKE ACTIVITY (HTTP over TCP port 8080):

- 198.44.132[.]80 port 8080 - centertechengineering[.]com:8080 - GET /lsass
- 198.44.132[.]80 port 8080 - centertechengineering[.]com - GET /cs?doaction2=false
- 198.44.132[.]80 port 8080 - centertechengineering[.]com - POST /lt