IcedID Phishing targeted Microsoft Exchange Servers

There is a new warning about IcedID (BokBot), a malware that primarily targets companies and steals payment information. It also serves as a loader, allowing it to spread by different methods including email thread hijacking and other obfuscation techniques.

IcedId has caused devastation among banking organisations in the United States, the United Kingdom, and Canada, including banks, credit card companies, mobile phone providers, and e-commerce sites. It is back with a new phishing attack that sends emails that look to come from real accounts using previously hacked Microsoft Exchange servers.

Alarmingly, attackers are now sending phishing emails via hijacked Microsoft Exchange servers, but the execution of the harmful payload has altered in a way that can execute malware without the user’s knowledge. IcedID phishing methods is an email with a password-protected ZIP package containing a macro-enabled Workplace doc that executes the IcedID installation.

Attack Chain Breakdown

The attacker strategy starts with a phishing email that has details on an important document and a password-protected ZIP archive file attached, with the password provided in the email body. Because of “thread hijacking,” a method in which attackers repeat a piece of a previous thread from a valid email in the stolen account’s inbox, users believe the email is authentic.

“Using this technique, the email appears more legit and is delivered via standard channels, which may also include items such as security software,” researchers stated. The majority of the campaign’s originating Exchange servers appear to be unpatched and publicly accessible, “Making the ProxyShell vector a good assumption.”

The attached file is a single “ISO” file with the same file name as the ZIP archive created not long before the email was sent. Researchers discovered two documents in that ISO file: an LNK file named “document” and a DLL file named “main,” both of which were recently compiled and used in previous phishing emails. The malicious code run in the main process when the target clicks on the LNK file,”regsvr32″ (which is used to start the DLL file works as loader).                                                                               

The Origin of a Threat

IcedID for the first time discovered by researchers at IBM in Autumn 2017, when the first victims of this virus were attacked. Further examination revealed that IcedID is a reconfigurable virus with complex functionality. It does not appear to include any borrowed or stolen code from other trojans. The virus has changed over time and has a long history of deception. For example, during the COVID-19 campaign, it reappeared with additional features, including steganography.

In an email to Threatpost, Saumitra Das, CTO and co-founder of security firm Blue Hexagon, stated:

“This attack highlights how much work attackers put in all the time to avoid detection and why defence in depth is critical.”

Cyber-attack mitigation has become harder with the continuing growth of such software, which hackers have created to evade antivirus and malware detection. Anti-malware scans should be performed on a regular basis to ensure that known harmful files are recognised and eliminated as soon as possible. Make sure your anti-malware software has the most updated settings.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts