February 15, 2022

Cybereason Threat Analysis Report

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s Global Security Operations Center Team (GSOC) provides a threat analysis report detailing comprehensive attack scenarios from malware loaders IcedID, QBot, and Emotet that lead to compromises with Cobalt Strike. Attribution of the threat activities has largely been credited to Conti ransomware affiliates. The attackers move swiftly through the environment with most reported attacks completing Cobalt Strike deployment within two hours. Initial access through the attacks is predominantly through phishing emails with malicious attachments. The threat actors conduct operations largely with patterns of using Living Off the Land Binaries (LOLBin) for popular tools such as PowerShell, wmic, regsvr32, rundll32 and using native commands to initiate discovery activity. Additionally, novel techniques and tools are leveraged including Rubeus and abusing esentutl for credential access, as well as abusing the HiveNightmare vulnerability.

  • Anvilogic Scenarios:
    • IcedID leading to Cobalt Strike
    • Qakbot/Qbot & Cobalt Strike
    • Emotet Behaviors
    • Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Esentutl Execution
    • Rubeus Commands
    • SAM, System, Security Files Accessed