IcedID thread hijacking attack uses compromised Exchange servers

Attackers use compromised Microsoft Exchange servers to send phishing emails, which include malicious attachments that infect victims with IcedID malware.

The latest campaign, which was observed in mid-March and appears to be still ongoing, targeted organizations in the energy, health, legal and pharmaceutical sectors. IcedID, which was first discovered in 2017, was originally designed as a way for attackers to steal banking credentials. However, since then the malware has evolved and is now used to deploy second-stage payloads to victim machines.

“In the new IcedID campaign, we discovered a new evolution in threat actor technique,” ​​Intezer researchers Joakim Kennedy and Ryan Robinson said in a Monday analysis of the campaign. “The threat actor is now using compromised Microsoft Exchange servers to send the phishing emails from the account he stole.”

Researchers observed phishing emails used in attacks with a decoy warning victims of unprocessed payments for recent contracts and pointing to legal documentation in an attached file. The emails use thread hijacking, where attackers use legitimate and compromised emails and insert themselves into existing conversations, making the phishing attack more compelling and difficult for the end user to detect.

The attached zip archive file is password protected, with the password provided in the email. The archive includes a single ISO file. When a victim clicks on the file, they use the “regsvr32” command-line utility to execute a DLL file, which researchers say is a technique to evade the defense by allowing execution by malicious code proxy in main.dll.

“The payload also changed from using office documents to using ISO files with a Windows LNK file and a DLL file,” Kennedy and Robinson said. “Using ISO files allows the threat actor to bypass Mark-of-the-Web controls, causing the malware to execute without warning to the user.”

“In the new IcedID campaign, we discovered a new evolution in threat actor technique.”

The DLL file is the loader for the IcedID payload, which contains a number of exports that mostly consist of junk code. This loader first locates the encrypted payload via API hashing, which is a common technique used by malware to prevent analysts and automated tools from determining the purpose of the code, where Windows API function calls are resolved at runtime using a hashing algorithm. The payload, which is decoded, placed in memory and executed, then fingerprints the machines and connects to the command and control (C2) server to send information about the victim machine. This information is smuggled through the cookie header via an HTTP GET request, the researchers said.

The researchers said the majority of compromised Exchange servers they observed in the attack “also appear to be unpatched and publicly exposed, making the ProxyShell vector a good theory.”

“While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone on the internet, we also saw a phishing email sent internally on what appears to be an internal Exchange server” “,” Kennedy and Robinson said.

Researchers believe that the threat actor behind this campaign may specialize as an access broker. The malware has previously been used by access brokers, such as TA577 and TA551, which gain initial access to organizations before selling that access to other threat actors.

Techniques used by TA551 include conversation hijacking and password-protected zip files,” Kennedy and Robinson said. “The group is also known to use regsvr32.exe for execution of signed binary proxy for malicious DLLs.

Kennedy said that while IcedID does not deploy ransomware directly – but rather malware or tools like Cobalt Strike that are then used to further gain access to an organization, before the ransomware is then executed – families of ransomware like Sodinokibi, Maze and Egregor were connected to an initial access that uses IcedID. The researchers pointed out that implementing security training in organizations can help employees better detect phishing emails like those used in this campaign.

“Although the hijacked thread makes it appear more ‘legitimate,’ they still have the hallmark of classic phishing emails,” Kennedy said. “The emails we observed have poor English, for example, so employee education about phishing is important, along with good security hygiene.”

Comments are closed.