Researchers have discovered a sophisticated post-exploitation framework being deployed on Microsoft Exchange servers to assist threat actors with credential harvesting and local reconnaissance.
After Microsoft started blocking macros obtained from the internet by default, email attackers are exploring alternative techniques to distribute Emotet, Qakbot, IcedID and other payloads.
The malware framework contains a loader, dropper and a remote access trojan with its own network communication protocol.
Researchers speculate that the emerging loader is a replacement for the BazaLoader malware.
A recent Emotet campaign with significant TTP changes reveal that attackers may be moving away from macros-based attacks given Microsoft’s recent plans to block VBA macros by default.