Cybersecurity researchers have identified a new campaign whereby attackers hijack email (opens in new tab) threads to distribute malware loaders.
Experts from Intezer say that an unknown threat actor is abusing known vulnerabilities in unpatched, compromised Microsoft Exchange servers to steal login credentials.
Once an email account has been compromised, the attackers scan the inbox for email threads with potential targets, and then simply continue the conversation, adding a malicious attachment to the mix.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
Continuing the conversation
By continuing an email chain with a known party, the threat actors hope to reduce the possibility of detection to a minimum. What’s more, they seem to be using internal Exchange servers and leveraging local IP addresses within a more trustworthy domain, to further avoid detection from antivirus (opens in new tab) solutions.
The attachment usually carries a ZIP archive containing an ISO file, which itself holds an LNK and a DLL file. Should the target run the "document.lnk" file, the DLL will launch the setup for the IcedID loader.
The campaign seems to be a success, BleepingComputer asserts, as the distribution of the malware (opens in new tab) has allegedly “spiked”.
> This phishing attack hijacks email chains to power up an ancient botnet (opens in new tab)
> This sneaky Microsoft Excel malware could put your organization at risk of attack (opens in new tab)
> Emotet malware impersonates IRS as 2022 tax season approaches (opens in new tab)
IcedID is a modular banking trojan, usually used to deploy stage-two malware. That’s why researchers believe the threat actor is most likely an access broker, who then sells on access to a target network to another party on the black market.
When exactly the campaign started, and who is behind it, cannot be stated with absolute certainty, although Intezer seems to believe a group called TA551 kicked it off some five months ago.
TA551 doesn’t seem to have any connections with nation-states, and allegedly targets organizations in English, German, Italian, and Japanese-speaking regions of the world.
- Check out the best ransomware protection (opens in new tab) out there
Via BleepingComputer (opens in new tab)