Link exchange

Microsoft Exchange Targeted for IcedID Response Chain Hacking Attacks

Distribution of the IcedID malware has recently spiked due to a new campaign that hijacks existing email conversation threads and injects hard-to-spot malicious payloads.

IcedID is a modular banking Trojan first spotted in 2017, used primarily to deploy second-stage malware such as other loaders or ransomware.

Its operators are believed to be initial access brokers who compromise networks and then sell access to other cybercriminals.

The ongoing IcedID campaign was discovered this month by Intezer researchers, who shared their findings with Bleeping Computer ahead of publication.

How the Attack Works

The primary conversation hijacking attack method is to take control of a key email account participating in a chat with the target and then send a phishing message designed to appear as a continuation of the chat thread.

So when the target receives a reply message with an attachment named and presented as something relevant to the previous discussion, the chances of suspecting fraud are minimized.

Intezer says there are clues pointing to threat actors targeting vulnerable Microsoft Exchange servers to steal credentials, as many of the compromised endpoints they found are publicly available and unpatched.

Additionally, in this campaign, analysts saw malicious emails sent from internal Exchange servers, using local IP addresses in a more trusted domain, and therefore unlikely to be flagged as suspicious.

IcedID latest infection chain
IcedID latest infection chain (Interzer)

The attachment sent to the targets is a ZIP archive containing an ISO file, which, in turn, contains an LNK file and a DLL file. If the victim double-clicks on the “document.lnk”, the DLL launches to configure the IcedID loader.

The IcedID GZiploader is stored in an encrypted form in the resource section of the binary, and after decoding it is placed in memory and executed.

The host then receives a fingerprint and basic system information is sent to C2 (your grocery store[.]top) via an HTTP GET request.

Finally, the C2 responds by sending a payload to the infected machine, although this step was not performed during the Intezer scan.

Dynamically called function that retrieves the payload
Dynamically called function that retrieves the payload (Interzer)

Links to the November 2021 campaign

While The Intezer report focuses on current and ongoing activity, it is unclear when this campaign began. It is possible that it started five months ago.

In November 2021, a Trend Micro report described a wave of attacks using ProxyShell and ProxyLogon vulnerabilities in exposed Microsoft Exchange servers to hijack internal email response chains and distribute documents containing malware.

The actors behind this campaign were believed to be “TR”, known to operate with a plethora of malware including Qbot, IcedID and SquirrelWaffle.

All three malware have previously been involved in hijacking email threads to deliver malicious payloads [1, 2, 3, 4].

Intezer puts the TA551 threat group in the spotlight this time due to the use of regsvr32.exe for executing binary proxy DDL and password protected ZIP files.

The connection between these two groups of threats is however unclear, but it is not unlikely that there is an overlap or even an underlying connection.

Update your Exchange servers

We’re approaching the one-year milestone since Microsoft released fixes for the ProxyLogon and ProxyShell vulnerabilities, so applying the latest security updates is way overdue.

Failure to do so leaves your Exchange servers, business, and employees vulnerable to phishing actors, cyber espionage, and ransomware infections.