A new adversarial campaign found is hijacking ongoing email conversation threads to inject hard-to-spot malicious payloads. The campaign drops IcedID info-stealer to targeted users.

About the campaign

Researchers at Intezer uncovered the ongoing IcedID trojan campaign, which was directed at organizations within the energy, healthcare, pharmaceutical, and legal sectors.
  • Attackers send a phishing email with a malicious attachment that is in continuation of an ongoing conversation.
  • Attackers specifically abuse unpatched Exchange servers to steal credentials.
  • Additionally, the analysts spotted malicious emails sent from internal Exchange servers, with local IP addresses using a trustworthy domain, hence minimizing any chances of suspicion by the users.

Operational details 

  • An email attachment (ZIP archive including an ISO file) is sent to targets, which has an LNK and a DLL file. 
  • If the victim double clicks the document[.]lnk, the DLL is launched for setting up the IcedID loader.
  • The IcedID GZiploader is stored in an encrypted form at the resource section of the binary. After being decoded, it is placed inside the memory and executed.
  • Further, the host is fingerprinted and the basic system details are sent to a C2 (yourgroceries[.]top) through HTTP GET request.

A connection with another campaign

In June 2021, the TA551 threat group was observed using conversation hijacking methods and password-protected zip files to deliver IcedID.  That time, the group had exploited the ProxyShell and ProxyLogon vulnerabilities.
  • Further, the group used regsvr32[.]exe for signed binary proxy execution for malicious DLLs.
  • The same technique is used in the recent attacks and because of that, researchers suspect that there may be a possible connection between the two campaigns.

Conclusion

It’s been almost a year since the disclosure of ProxyShell vulnerabilities in Exchange servers but not many organizations, apparently, couldn't apply the patch. While they must attention here, they also need to consider deploying reliable email security gateways to block threats coming via suspicious emails.
Cyware Publisher

Publisher

Cyware