{ "name": "IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment", "slug": "icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment", "description": "This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT, for credential access and lateral movement. Over eight days, the adversary methodically moved across the network, collecting data before ultimately deploying ALPHV ransomware on multiple hosts.", "published": "2024-06-10T09:03:36+00:00", "created_at": "2024-06-10T09:03:36+00:00", "modified_at": "2024-06-10T09:31:11+00:00", "created_at_opencti": "2024-06-10T09:03:36+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-10", "alphv", "backdoor", "blackcat", "cobalt strike", "csharp streamer", "exfiltration", "icedid", "noberus", "ransomware", "rat" ], "related_entities": { "observables": [ { "id": "", "name": "94.232.46.27" }, { "id": "", "name": "92.118.112.113" }, { "id": "", "name": "77.105.140.181" }, { "id": "", "name": "212.18.104.12" }, { "id": "", "name": "173.255.204.62" }, { "id": "", "name": "109.236.80.191" }, { "id": "", "name": "85.209.11.48" }, { "id": "", "name": "77.105.142.135" }, { "id": "", "name": "217.23.12.8" }, { "id": "", "name": "skrechelres.com" }, { "id": "", "name": "jkbarmossen.com" }, { "id": "", "name": "hofsaalos.com" }, { "id": "", "name": "evinakortu.com" }, { "id": "", "name": "modalefastnow.com" }, { "id": "", "name": "jerryposter.com" }, { "id": "", "name": "fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d" }, { "id": "", "name": "dfa8c282178a509346fb0154e6dbd5fbb0b56c38894ce7d244f5ca26d6820e67" }, { "id": "", "name": "d8f51dcfe928a1674e8d88029a404005ab826527372422cac24c81467440feb0" }, { "id": "", "name": "cd0e941587672ab1517681a7e3b4f93a00020f8c8c8479a76b9e3555bcd04121" }, { "id": "", "name": "c2ddb954877dcfbb62fd615a102ce5fa69f4525abc1884e8fe65b0c2b120cfd4" }, { "id": "", "name": "bd4876f7efbd18a03bbb401a5dc77ed68ef95c72a3f7be83cef39a4515e0c476" }, { "id": "", "name": "bc49622009b29c23ee762fe6f000936eb1c4c1b29496d5382f175c99ad941aac" }, { "id": "", "name": "9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f" }, { "id": "", "name": "94d6395dcab01250650e884f591956464d582a4f1f5da948055e6d2f0a215ace" }, { "id": "", "name": "6f3a02674b6bbf05af8a90077da6e496cc47dda9101493b8103f0f2b4e4fd958" }, { "id": "", "name": "7d2e705dcaa9f36fb132b7ff329f61dd5d0393c28dcd53b2be1e3ba85c633360" }, { "id": "", "name": "6a6cd64fba34aadad2df808b0fcab89ef26a897040268b24fed694036cc51d6a" }, { "id": "", "name": "5d1817065266822df9fa6e8c5589534e031bb6a02493007f88d51a9cfb92e89b" }, { "id": "", "name": "5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf" }, { "id": "", "name": "457a2f29d395c04a6ad6012fab4d30e04d99d7fc8640a9ee92e314185cc741d3" }, { "id": "", "name": "3336bfde9b6b8ef05f1d704d247a1a8fd0641afaecc6a71f5cfa861234c4317b" }, { "id": "", "name": "4103cc8017409963b417c87259af2a955653567cdbf7d5504198dd350f9ef9c1" }, { "id": "", "name": "e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c" } ], "malware": [ { "id": "legacy:malware:0088b8a699120772", "name": "CSharp Streamer", "slug": "csharp-streamer" }, { "id": "legacy:malware:57f5f768df634c63", "name": "BlackCat - S1068", "slug": "blackcat-s1068" }, { "id": "legacy:malware:0d729aad6e4a08a8", "name": "Noberus", "slug": "noberus" }, { "id": "legacy:malware:3f7697d87ccd7a64", "name": "ALPHV", "slug": "alphv" }, { "id": "legacy:malware:5b97ff7cc1ffdf29", "name": "IcedID - S0483", "slug": "icedid-s0483" }, { "id": "ab138766-9b64-4880-87fb-1942a709d778", "name": "Cobalt Strike - S0154", "slug": "cobalt-strike-s0154" } ], "attack_patterns": [ { "id": "a69453e8-307d-4331-976b-b3a151424f26", "name": "T1043" }, { "id": "28784df4-38e7-4195-b0aa-bd35746dfbe7", "name": "T1069.002" }, { "id": "219502b8-3f28-4cb2-bd07-7235cc46a138", "name": "T1003.006" }, { "id": "10dae4e9-d63f-4b23-ae9c-abbb0ff59330", "name": "T1218.010" }, { "id": "a6b6df0a-93c1-4ddf-8403-2bc47590f9fe", "name": "T1087.001" }, { "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d", "name": "T1003.001" }, { "id": "a1de6d30-7fd6-4352-8f6c-d9904347f33f", "name": "T1039" }, { "id": "985513c3-6e7b-441f-87f7-7923e1758e9c", "name": "T1078.002" }, { "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3", "name": "T1569.002" }, { "id": "195d9773-4de3-4f61-b94d-a2b53cb65608", "name": "T1021.001" }, { "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5", "name": "T1135" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "a15721d2-76b1-4869-bd1f-819afb6e368d", "name": "T1482" }, { "id": "6c54bb5e-b90c-478e-b1fb-705daf1869b3", "name": "T1197" }, { "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b", "name": "T1560.001" }, { "id": "9e6c4b38-f4e1-4b1f-b90a-222f881acbab", "name": "T1087.002" }, { "id": "81b422de-709e-43bd-b471-2befac0c623a", "name": "T1218.011" }, { "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd", "name": "T1059.005" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "e73b317e-ea92-49b4-a45d-051f7279aced", "name": "T1213" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "a831f7c4-a7f0-4243-8211-1cd44fa34fa7", "name": "T1020" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ] }, "external_refs": [ "https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/", "https://otx.alienvault.com/pulse/6666dd884a5155bce8735a6a" ] }