← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
An Ice Cold Intrusion
WHITE AlienVault 2024-04-04 Modified: 2024-05-04
38
IOCs
MEDIUM VOLUME
This report details a sophisticated cyber attack where threat actors gained initial access through a phishing campaign distributing malicious OneNote attachments. They delivered the IcedID malware, which maintained persistence for over a month before deploying Cobalt Strike beacons. The actors leveraged RDP, AnyDesk, and credential access to move laterally, exfiltrate data using FileZilla, and ultimately deploy Nokoyawa ransomware on critical servers, causing significant impact.
phishinglateral movementransomwarecobalt strikenokoyawaexfiltrationicedid
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
IcedID - S0483 Cobalt Strike - S0154 Nokoyawa
Indicators of Compromise (7 / 38 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 0fdfef7c9cc4305df81b006e898e1592aa822437 2024-04-04
FileHash-SHA1 72a1c9ea93d18309769d8be5cdb3daedf1cddcf5 2024-04-04
FileHash-SHA1 8c949a7769d16c285347f650ef2eedac01dc1805 2024-04-04
FileHash-SHA1 aa8f2d6d98aa535e05685076ca02f781c2aa6464 2024-04-04
FileHash-SHA1 ca14d61bcf038cda45199f54c7c452ad262a7c88 2024-04-04
FileHash-SHA1 d87a3c22771b1106a1a52d96df7b2944d93fa184 2024-04-04
FileHash-SHA1 f1e7994c6568f0182a60f64557c7793df5e550ed 2024-04-04
References (1)
↗ https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/