Malware-Traffic-Analysis.net - 2022-07-06 - TA578 'Stolen Images Evidence' --> IcedID (Bokbot) --> BackConnect, Anubis VNC, and Cobalt Strike

2022-07-06 (WEDNESDAY) - TA578 "STOLEN IMAGES EVIDENCE" --> ICEDID (BOKBOT) --> BACKCONNECT, ANUBIS VNC & COBALT STRIKE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

In the reference below, I mistakenly reported the BackConnect and Anubis VNC traffic as "DarkVNC" for @Unit42_Intel.
I've fixed this blog post and the material to show the correct activity.
For more on Backconnect, see: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
For more on Anubis VNC, see: https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/

REFERENCE:

https://twitter.com/Unit42_Intel/status/1544820768256786433

ASSOCIATED FILES:

2022-07-06-IOCs-for-TA578-contact-forms-IcedID-with-BackConnect-and-Anubis-VNC-and-Cobalt-Strike.txt.zip 2.3 kB (2,344 bytes)
2022-07-06-TA578-Contact-Forms-IcedID-with-BackConnect-and-Anubis-VNC-and-Cobalt-Strike.pcap.zip 18.5 MB (18,521,410 bytes)
2022-07-06-TA578-IcedID-malware-and-artifacts.zip 3.4 MB (3,445,708 bytes)

IMAGES

Shown above: Screenshot of video from the decoded VNC traffic.

Click here to return to the main page.