Cybersecurity researchers have identified a new campaign whereby attackers hijack email threads to distribute malware loaders.
Experts from Intezer say that an unknown threat actor is abusing known vulnerabilities in unpatched, compromised Microsoft Exchange servers to steal login credentials.
Once an email account has been compromised, the attackers scan the inbox for email threads with potential targets, and then simply continue the conversation, adding a malicious attachment to the mix.
Continuing the conversation
By continuing an email chain with a known party, the threat actors hope to reduce the possibility of detection to a minimum. What’s more, they seem to be using internal Exchange servers and leveraging local IP addresses within a more trustworthy domain, to further avoid detection from antivirus solutions.
The attachment usually carries a ZIP archive containing an ISO file, which itself holds an LNK and a DLL file. Should the target run the “document.lnk” file, the DLL will launch the setup for the IcedID loader.
The campaign seems to be a success, BleepingComputer asserts, as the distribution of the malware has allegedly “spiked”.
IcedID is a modular banking trojan, usually used to deploy stage-two malware. That’s why researchers believe the threat actor is most likely an access broker, who then sells on access to a target network to another party on the black market.
When exactly the campaign started, and who is behind it, cannot be stated with absolute certainty, although Intezer seems to believe a group called TA551 kicked it off some five months ago.
TA551 doesn’t seem to have any connections with nation-states, and allegedly targets organizations in English, German, Italian, and Japanese-speaking regions of the world.
Via BleepingComputer
