IcedID (Bokbot) with Dark VNC and Cobalt Strike

As early as April 2022, a long-running threat actor known as TA551 (designated by Proofpoint), Monster Libra (designated by Palo Alto Networks), or Shathak started distributing SVCReady malware. Since then, SANS have sometimes seen this same threat actor also push IcedID (Bokbot) malware.

REFERENCE: https://isc.sans.edu/diary/rss/28884

TAGS: cobalt strike, icedid, darkvnc, iso image, icedid malware, js file, bokbot

TARGETED COUNTRY: Italy

MALWARE FAMILIES: Cobalt Strike, DarkVNC, IcedID

ATT&CK ID: T1547 - Boot or Logon Autostart Execution

Read More:

https://otx.alienvault.com/pulse/62e12444b1795a776ef80f32