MS Exchange Servers Abused in Phishing Campaign
A new campaign is actively spreading the IcedID banking trojan. This time, threat actors are using Microsoft Exchange servers that they had previously compromised to spread the malware.
The campaign is using phishing emails, doctored to appear as though they originate from valid and trustworthy sources, ensuring a better conversion rate of emails sent to successful infections.
Hackers try new evasion methods
The current campaign was discovered by a team of researchers with security firm Intezer. On the surface, it seems the hackers behind the campaign are not doing anything dramatically innovative. Older phishing campaigns relied on using previously compromised email accounts to send the phishing mail from, adding a false sense of legitimacy to the messages.
However, this time around they have added new evasion tactics that make the successful delivery of the ultimate trojan payload to the target even more likely.
The hackers are sending the phishing mail using Microsoft Exchange mail servers to dish out the malicious emails. However, they are also employing an extra layer of evasion when it comes to the actual payload.
Instead of putting the malicious content in office documents, like phishing campaigns have done for ages, hiding malicious macros inside an MS Office file, for example, now hackers have moved on to using archive files and disk images. This allows them to bypass integrated protection mechanisms in both MS Office and Windows, called "Mark-of-the-web" or MOTW. MOTW includes specific prevention measures when it comes to files downloaded from the web, including opening the files in protected view in Office applications.
However, using archive files and .iso disk images allows hackers to circumvent this layer of protection, as those file types will be flagged with MOTW, but the files contained inside them might not be.
The phishing emails used to spread IcedID use what is called "thread hijacking" - using an existing chain email of communication between the victim and the compromised account. This lends extra credibility to the lure.
Business as usual once payload is deployed
The email has an attached archive file, which is password-protected. The password is conveniently located in the email. The archive contains an .iso disk image file, which in turn contains a main.dll file and a shortcut document.lnk file. Trying to open the "document" leads to the payload deploying in the victim's system, using the main.dll file to compromise the system.
With the evolution of attack chains, staying safe from similar threats comes down not just to a robust security protocol but also to personal awareness and avoiding critical human error.