Cybersecurity researchers have identified a new campaign whereby attackers hijack email threads to distribute malware loaders.
Experts from Intezer say that an unknown threat actor is abusing known vulnerabilities in unpatched, compromised Microsoft Exchange servers to steal login credentials.
Once an email account has been compromised, the attackers scan the inbox for email threads with potential targets, and then simply continue the conversation, adding a malicious attachment to the mix.
Continuing the conversation
By continuing an email chain with a known party, the threat actors hope to reduce the possibility of detection to a minimum. What’s more, they seem to be using internal Exchange servers and leveraging local IP addresses within a more trustworthy domain, to further avoid detection from antivirus solutions.
The attachment usually carries a ZIP archive containing an ISO file, which itself holds an LNK and a DLL file. Should the target run the “document.lnk” file, the DLL will launch the setup for the IcedID loader.
The campaign seems to be a success, BleepingComputer asserts, as the distribution of the malware has allegedly “spiked”.
IcedID is a modular banking trojan, usually used to deploy stage-two malware. That’s why researchers believe the threat actor is most likely an access broker, who then sells on access to a target network to another party on the black market.
When exactly the campaign started, and who is behind it, cannot be stated with absolute certainty, although Intezer seems to believe a group called TA551 kicked it off some five months ago.
TA551 doesn’t seem to have any connections with nation-states, and allegedly targets organizations in English, German, Italian, and Japanese-speaking regions of the world.
Via BleepingComputer
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba