Hackers abuse unpatched MS Exchange servers to deploy IcedID malware

March 29, 2022
Hackers Vulnerability Abuse Unpatched MS Exchange Servers IcedID Malware Banking Trojan

Threat actors are seen performing a new email phishing campaign by leveraging the conversation hijacking technique to spread the IcedID malware. The campaign exploits publicly exposed MS Exchange servers left unpatched by its users.

The hackers used a common social engineering technique called thread or conversation hijacking, wherein they have forged a reply to an old stolen email and convinced the targeted recipient to open a malicious attachment. Experts consider this tactic remarkable since victims can be tricked into opening the phishing email, thinking it is credible, leading to a high infection rate.

From the latest study for this month, security experts have detected a wave of attacks leveraging the said attack tactic and have targeted companies from the healthcare, law, and energy industries.

 

The IcedID malware is a banking trojan that works as an entry point for succeeding attacks executed by its actors, such as ransomware.

 

The malware can attach itself to a remote server and then download implants and tools for the next stages of the attack process. It helps the hackers perform the subsequent attack activities with agile movements across the infected networks to spread other payloads.

In related news, security firms have observed a group of IABs or Initial Access Brokers furtively infiltrating networks using first-stage payloads like the IcedID malware to propagate more sophisticated ransomware payloads, including REvil, Egregor, and Maze.

Previous reports involving the IcedID malware campaigns described hackers exploiting the website contact forms of company websites to send out phishing emails. For this current incident, the malware is now being used to target unpatched Microsoft Exchange servers to send phishing emails using stolen user email accounts.

This new phishing campaign uses a stolen email address and sends fraudulent replies through an existing conversation thread, making the messages seem legitimate. Researchers determined that using effective social engineering techniques such as conversation hijacking upticks the global rate of phishing campaign success.

About the author