Go to listing page

An Ongoing Reply-Chain Hijacking Campaign Drops IcedID

An Ongoing Reply-Chain Hijacking Campaign Drops IcedID
A new adversarial campaign found is hijacking ongoing email conversation threads to inject hard-to-spot malicious payloads. The campaign drops IcedID banking trojan to target users.
 
Discovered first in 2017, the IceID malware is counted in the likes of Emotet and QakBot trojans that are used to deliver other malicious payloads. In one such incident, the operators had leveraged the IceID to distribute the Cobalt Strike adversary simulation tool.  

 

About the campaign

Researchers at Intezer uncovered the ongoing IcedID trojan campaign, which was directed at organizations within the energy, healthcare, pharmaceutical, and legal sectors.
  • Attackers send a phishing email with a malicious attachment that is in continuation of an ongoing conversation.
  • Attackers specifically abuse unpatched Microsoft Exchange servers to steal credentials.
  • Additionally, the analysts spotted malicious emails sent from internal Microsoft Exchange servers, with local IP addresses using a trustworthy domain, hence minimizing any chances of suspicion by the users.
 

Operational details 

  • An email attachment (ZIP archive including an ISO file) is sent to targets, which has an LNK and a DLL file. 
  • If the victim double clicks the document[.]lnk, the DLL is launched for setting up the IcedID loader.
  • The IcedID GZiploader is stored in an encrypted form at the resource section of the binary. After being decoded, it is placed inside the memory and executed.
  • Further, the host is fingerprinted and the basic system details are sent to a C2 (yourgroceries[.]top) through HTTP GET request.
 

A connection with another campaign

In June 2021, the TA551 threat group was observed using conversation hijacking methods and password-protected zip files to deliver IcedID malware.  That time, the group had exploited the ProxyShell and ProxyLogon vulnerabilities.
  • Further, the group used regsvr32[.]exe for signed binary proxy execution for malicious DLLs.
  • The same technique is used in the recent attacks and because of that, researchers suspect that there may be a possible connection between the two campaigns.
 

Conclusion

It’s been almost a year since the disclosure of ProxyShell vulnerabilities in Microsoft Exchange servers but not many organizations, apparently, couldn't apply the patch. While they must attention here, they also need to consider deploying reliable email security gateways to block threats coming via suspicious emails.
Cyware Publisher

Publisher

Cyware