IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware…

216.73.216.6

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

· Published 10/06/2024 11:03 · Modified 10/06/2024 11:31

Essential information

Published: 10/06/2024 11:03
Modified: 10/06/2024 11:31
Tags: 2024-06-10 alphv backdoor blackcat cobalt strike csharp streamer exfiltration icedid noberus ransomware rat
Related entities: 33 observables, 33 techniques (mitre), 6 malware

Description

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT, for credential access and lateral movement. Over eight days, the adversary methodically moved across the network, collecting data before ultimately deploying ALPHV ransomware on multiple hosts.

External references

https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/
https://otx.alienvault.com/pulse/6666dd884a5155bce8735a6a