Since the initial infection vector relates to a phishing email containing a malicious ZIP file, it is recommended to implement and maintain proper email security controls. Email security controls, such as AV scanning and sandboxing, can help prevent phishing emails from reaching end users, thus potentially preventing the malware from infecting a workstation, to begin with. It is also recommended to maintain appropriate endpoint security controls. Most of the behaviors exhibited by this attack post-compromise would be considered suspicious activity, so it is likely that most EDRs would be able to prevent certain aspects of the attack from occurring. Likewise, the attack uses common tooling, like Cobalt Strike and Rubeus, that most EDRs would likely prevent from executing in the first place. In cases where prevention did not occur, detection would help to alert the organization to a potential compromise within the environment. Most of the initial infection vector and the post-compromise activity can be alerted upon with the appropriate logging in place. An activity like a DLL being copied from an ISO to the TEMP directory, rundll32.exe creating a scheduled task, regsvr32.exe making network callouts, Atera agents being installed on devices in an unauthorized manner, and rclone.exe being used to connect to the MEGA cloud storage service are all suspicious behaviors that can be monitored for and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
Sources: https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html?m=1 https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
