2022-10-31 - ICEDID (BOKBOT) INFECTION WITH BACKCONNECT, KEYHOLE VNC, AND COBALT STRIKE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

NOTES:

• In the reference below, I mistakenly reported the BackConnect and Keyhole VNC traffic as "DarkVNC" for @Unit42_Intel.
• I've fixed this blog post and the material to show the correct activity.
• For more on Backconnect, see: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
• For more on Keyhole VNC, see: https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/

REFERENCE:

• https://twitter.com/Unit42_Intel/status/1587463493300719616

 

ASSOCIATED FILES:

• 2022-10-31-IOCs-for-IcedID-activity.txt.zip   1.8 kB   (1,834 bytes)
• 2022-10-31-IcedID-part-1-with-BackConnect-and-Keyhole-VNC.pcap.zip   3.4 MB   (3,426,416 bytes)
• 2022-10-31-IcedID-part-2-with-BackConnect-and-Cobalt-Strike.pcap.zip   2.2 MB   (2,173,034 bytes)
• 2022-10-31-malware-and-artifacts-from-IcedID-infection.zip   1.5 MB   (1,472,969 bytes)

 

IMAGES

Shown above:  Screenshot of video from the decoded VNC traffic.

 

Click here to return to the main page.