Security news that informs and inspires

IcedID Thread-Hijacking Attack Uses Compromised Exchange Servers


Attackers are using compromised Microsoft Exchange servers to launch thread-hijacking attacks that infect victims with the IcedID malware.

Attackers are using compromised Microsoft Exchange servers to send phishing emails, which include malicious attachments that infect victims with the IcedID malware.

The latest campaign, which was observed in mid-March and appears to still be ongoing, has targeted organizations in the energy, healthcare, law and pharmaceutical sectors. IcedID, which was first uncovered in 2017, was initially designed as a way for attackers to steal banking credentials. However, since then the malware has evolved and is now used to deploy second-stage payloads on victims’ machines.

“In the new IcedID campaign we have discovered a further evolution of the threat actors’ technique,” said Joakim Kennedy and Ryan Robinson, researchers with Intezer in a Monday analysis of the campaign. “The threat actor now uses compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from.”

Researchers observed phishing emails used in the attacks with a lure warning the victims about unprocessed payments for recent contracts and pointing to legal documentation in an attached file. The emails make use of thread-hijacking, where attackers use legitimate, compromised emails and insert themselves into existing conversations, making the phishing attack more convincing and difficult for the end user to detect.

The attached zip archive file is password protected, with the password given in the email. The archive includes a single ISO file. When a vicim clicks the file, it uses the “regsvr32” command-line utility to execute a DLL file, which researchers said is a technique that enables defense evasion by allowing the proxy execution of malicious code in main.dll.

“The payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file,” said Kennedy and Robinson. “The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user.”

“In the new IcedID campaign we have discovered a further evolution of the threat actors’ technique."

The DLL file is the loader for the IcedID payload, which contains a number of exports mostly consisting of junk code. This loader first locates the encrypted payload through API hashing, which is a technique commonly used by malware in order to prevent analysts and automated tools from determining the code’s purpose, where the Windows API function calls are resolved at runtime using a hashing algorithm. The payload, which is decoded, placed in memory and executed, then fingerprints the machines and connects with the command-and-control (C2) server to send information about the victim machine. This information is smuggled through the cookies header via an HTTP GET request, said researchers.

Researchers said that the majority of the compromised Exchange servers they observed as part of the attack “appear to also be unpatched and publicly exposed, making the ProxyShell vector a good theory.”

“While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone over the Internet, we have also seen a phishing email sent internally on what appears to be an ‘internal’ Exchange server,” Kennedy and Robinson said.

Researchers believe that the threat actor behind this campaign may specialize as an access broker. The malware has previously been utilized by access brokers, such as TA577 and TA551, which gain an initial access to organizations before selling that access to other threat actors.

The techniques used by TA551 include conversation hijacking and password protected zip files," said Kennedy and Robinson. "The group is also known to use regsvr32.exe for signed binary proxy execution for malicious DLLs.

Kennedy said that while IcedID is not directly deploying ransomware - instead deploying malware or tools like Cobalt Strike that are then used to gain further access into an organization, before the ransomware is then executed - ransomware families like Sodinokibi, Maze and Egregor have been connected to an initial access that uses IcedID. Researchers stressed that implementing security training in organizations can help employees better detect phishing emails like the ones used in this campaign.

“While the hijacked thread does make it appear more 'legitimate,' they still have the mark of classic phishing emails," said Kennedy. "The emails we have observed do have poor English, for example. So employee education about phishing is important together with good security hygiene."