← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
An Ice Cold Intrusion
WHITE AlienVault 2024-04-04 Modified: 2024-05-04
38
IOCs
MEDIUM VOLUME
This report details a sophisticated cyber attack where threat actors gained initial access through a phishing campaign distributing malicious OneNote attachments. They delivered the IcedID malware, which maintained persistence for over a month before deploying Cobalt Strike beacons. The actors leveraged RDP, AnyDesk, and credential access to move laterally, exfiltrate data using FileZilla, and ultimately deploy Nokoyawa ransomware on critical servers, causing significant impact.
phishinglateral movementransomwarecobalt strikenokoyawaexfiltrationicedid
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
IcedID - S0483 Cobalt Strike - S0154 Nokoyawa
Indicators of Compromise (8 / 38 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 f927cd4f40c7a6dad769a8f9af771a8c 2024-04-04
FileHash-MD5 5f4d630ef00656726401b205ae4dc88f 2024-04-04
FileHash-MD5 76a1f94ed6499b99d2cc500998846875 2024-04-04
FileHash-MD5 8800e6f1501f69a0a04ce709e9fa251c 2024-04-04
FileHash-MD5 a59a7916156c52f732b4c2e321facfe1 2024-04-04
FileHash-MD5 b1f5e4774aa79f643350218df61e33f6 2024-04-04
FileHash-MD5 c561c2cdad206b6ed8469079e037e3f9 2024-04-04
FileHash-MD5 d1da347e78bf043e2dc61638e946c3da 2024-04-04
References (1)
↗ https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/