Upon initial execution, Cobalt Strike ran some discovery commands before injecting into the LSASS process to steal cached credentials. The payload was a Cobalt Strike Beacon in the form of a DLL.
#Astro empires blob download#
In this instance, the threat actors instructed IcedID to download and execute the next stage malware two hours after the initial compromise.
In some cases, there might be different threat actor groups working on different phases of the attack. If threat actors find the organization to be of interest, they will launch the next phase. As with most commodity malware we see, IcedID executes the initial discovery commands and then exfiltrates the results via the C2 channel. This case started with an IcedID infection from a malware campaign as reported by Myrtus. The threat actors used batch scripts during the intrusion for a number of purposes, primarily to disable antivirus programs and execute payloads. It appears that operators used different payloads, to accomplish different tasks, on each phase of the intrusion. In this intrusion, we observed the threat actors use multiple DLL Beacons that would call out to different Cobalt Strike C2 channels. The new group was featured in the AstroLocker ransomware blog, and it has been very active since then. XingLocker made its first appearance in early May of this year. Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant.
0 kommentar(er)
