Today we celebrate a major cybersecurity victory. Operation Endgame, a global law enforcement effort supported by insights from experts at Proofpoint and other industry vendors, resulted in:

• The disruption of major botnets
• Four arrests
• Over 100 servers taken down across 10 countries
• Over 2,000 domains brought under the control of law enforcement
• Illegal assets frozen

Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever possible and appropriate to do so, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats.

For #OperationEndgame, Proofpoint threat researchers lent their expertise in reverse engineering malware, botnet infrastructure, and identifying patterns in how the threat actors set up their servers to help authorities understand the malware and safely remediate the bot clients.

Proofpoint’s unmatched threat telemetry and researcher knowledge played a crucial role in the operation, providing key insights in identifying the new botnets that are most likely to grow and become the dominant threats affecting the most number of people around the world.

More information on the takedown and Proofpoint’s involvement can be found in our blog: https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown.

We are proud to announce that we assisted the joint international law enforcement operation #OperationEndgame, targeting the notorious botnets #IcedID, #Smokeloader, #SystemBC and #Pikabot

abuse.ch has provided key infrastructure to LEA and internal partners to disrupt these botnet operations

More information on the operation is available here:
https://operation-endgame.com/

#IcedID, #Smokeloader, #SystemBC, #Pikabot and #Bumblebee botnets have been disrupted by Operation Endgame!! This is the largest operation EVER against botnets involved with ransomware, with gargantuan thanks to a coordinated effort led by international agencies

As with the #Qakbot and #Emotet takedowns, Spamhaus are again providing remediation support - those affected will be contacted from today with steps to take.

For more information, read our write-up here: https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/

Zeus, #IcedID malware gangs leader pleads guilty, faces 40 years in prison

https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/

See how the attackers use #IcedID's reverse VNC to buy an iPhone 14 from the Apple Store and then drop #CobaltStrike on the victim machine.
Thanks to @malware_traffic for sharing the #pcap file!
https://netresec.com/?b=23A4de6

This article from @TalosSecurity is wrong: https://infosec.exchange/@TalosSecurity@mstdn.social/111182485199499672

The activity reported in this Talos article is not associated with #Qakbot.

Why do I say this?

This Talos article is "...connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns."

Talos identifies these campaigns as "AA" and "BB." But the other data Talos presents isn't associated with infrastructure for the "AA" and "BB" campaigns that have pushed Qakbot before.

That "AA" and "BB" infrastructure has been active since last month, pushing #DarkGate, #Pikabot, and #IcedID. This distribution network is run by a threat actor Proofpoint identifies as #TA577. TA577 was one of the distributors of Qakbot before Qakbot got taken down.

I would never have called TA577 the threat actor behind Qakbot, but Talos does in the article. It is merely a threat actor that distributed Qakbot.

From what I can tell, this Knight ransomeware activity is not connected with the AA/BB/TA577 distributor who has previously spread Qakbot and other malware.

NetworkMiner 2.8.1 released today! It now extracts:
#VNC desktop graphics
#njRAT transfers and screenshots
#IcedID reverse VNC graphics
#IcedID reverse VNC keylog
#BackConnect file uploads
https://netresec.com/?b=23A41e6

More info from tweet I wrote for my employer at: https://twitter.com/Unit42_Intel/status/1689645377027457027

2023-08-09 (Wednesday) - Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at https://github.com/pan-unit42/tweets/blob/master/2023-08-09-IOCs-from-IcedID-infection.txt

I've been looking for Cobalt Strike activity from these IcedID infections, but haven't had much luck in recent months.

#pcap of the infection traffic and the associated malware/artifacts are available at https://www.malware-traffic-analysis.net/2023/08/09/index.html

Hey, my Unit 42 Wireshark Quiz for #IcedID is out!

https://unit42.paloaltonetworks.com/wireshark-quiz-icedid/

Answers will be posted on Tuesday 2023-05-30.

ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week https://i5c.us/d29740

ISC diary: @malware_traffic reviews .url files and #WebDAV used for #IcedID (#Bokbot) infection https://i5c.us/d29578

Originally posted at: https://twitter.com/Unit42_Intel/status/1623707361184477185

2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, I saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using thefirstupd[.]com as its domain.

IoCs available at https://github.com/pan-unit42/tweets/blob/master/2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt

#OneNote has become a fixture in recent malware delivery campaigns, with Initial Access Broker kingpins such as #Qakbot, #IcedID, and more getting in on the action.

I've distilled all the publicly available information I could find on the topic into this post. Who's abusing it and how to mitigate them - it's all here:

https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs?sd=pf

Wave of .one files dropping #icedid:

https://app.any.run/tasks/434266a4-2ecc-499e-955a-76b39d6847fc

dll hash:
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

a c2:
https://renomesolar[.]com/users/3954321778/4200660454

Sophos has observed new IcedID #malvertizing campaigns themed around adobe & other popular software packages

​ Infection Chain:

​ Google search for "adobe reader"
​ Google ad click
​ TDS redirect: `likhs299us[.]tech`
​ Fake website: vvw-adobe[.]top
​ Download of malware from firebase (.zip containing a .iso)
​ Setup_Win_<timestamp>.zip / Setup_Win_<timestamp>.iso

#IcedID C2: plivetrakoy[.]com

#IOCs:
​ https://www.virustotal.com/gui/file/be9ac59a6b2ea2bf55a57aec8a993a9ff77e5f6ad92531ff3cdbb7ac35295cef/content
​ https://www.virustotal.com/gui/ip-address/46.173.218.229/relations
#ThreatIntel #Malware #CTI

Fake Microsoft Teams website used to download IcedID malware

​ mlcrosofteams[.]top
​ Downloads .zip containing .msi

#IcedID C2: whothitheka[.]com

This is likely being distributed by #malvertising but I wasn't able to capture the advertisement

193.222.62[.]37 is also hosting fake IRS & Royal mail websites
​ irs-forms[.]top
​ royalmail.orders-info[.]uk

https://www.virustotal.com/gui/file/8ed2026fd98d54f9ad85d721223b60bd8b6c1362faeb4c24492d2bb63a7c357b/details
https://urlscan.io/result/a0e5de3e-75ea-46f4-8340-0ab09c440850/
https://urlscan.io/ip/193.222.62.37

Tweet I wrote for @unit42_intel on Twitter (https://twitter.com/Unit42_Intel/status/1606013040599699476):

2022-12-20 (Tues) - #IcedID (#Bokbot) infection led to #CobaltStrike on 23.81.246[.]152:443 using xedefeg[.]com - IoCs available at: https://bit.ly/3HUXess

#pcap and malware available at https://www.malware-traffic-analysis.net/2022/12/20/index.html