![]() ![]() Shown above: Opening the malicious WebDAV server in Windows File Explorer. The image below shows what happened when we opened \\104.156.1496\webdav\ in a File Explorer window. You can access WebDAV servers using Windows File Explorer. WebDAV stands for "Web Distributed Authoring and Versioning," and it's a set of extensions to the HTTP protocol that allows users to access and edit files on a remote web server. bat files both use WebDAV to retrieve and run the malware. bat file runs a DLL installer for IcedID on the same server at \\104.156.1496\webdav\host.dll. Shown above: URL file and the associated BAT file. url files all use file:\\\\ instead of for the URL, and they all grab a similarly-named. url files that attempt to contact the server. Searching VirusTotal revealed at least 22. On Tuesday, tweeted about an open directory at hxxp://104.156.1496/webdav/. Shown above: Flow chart for the infection activity. ![]() Today's diary reviews an infection from Thursday generated by one of those. url files and WebDAV traffic for an IcedID infection. For example, on Tuesday, we found a distribution pattern using. But these distribution patterns occasionally change. IcedID is often distributed through email, and we've also seen it delivered by fake software sites from Google ad traffic.įor email-based distribution, we've seen OneNote files as an initial lure this month ( here's one example). IcedID (also known as Bokbot) is an information stealer/backdoor malware that can lead to other activity like Cobalt Strike and Virtual Network Computing (VNC) traffic. ![]()
0 Comments
Leave a Reply. |