Researchers Discover New MS Exchange Hijacking Campaign

Researchers at Intezer has reported a new hijacking campaign that targets Microsoft Exchange with the IcedID modular banking trojan:

One of these banking trojans that have been used to deploy ransomware is IcedID (BokBot). IcedID was first reported on by IBM X-Force in November 2017 and the malware shared some code with Pony. While initially designed to steal banking credentials, like many other banking trojans, the malware has been repurposed for deploying other malware on the infected machines.

One way IcedID infects machines is via phishing emails. The infection chain that commonly has been used is an email with an attached password protected “zip” archive. Inside the archive is a macro enabled office document that executes the IcedID installer. Some phishing emails reuse previously stolen emails to make the lure more convincing. 

In the new IcedID campaign we have discovered a further evolution of the threat actors’ technique. The threat actor now uses compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from. The payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file. The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user. With regards to targeting, we have seen organizations within energy, healthcare, law, and pharmaceutical sectors.

The way this has evolved has clearly made this dangerous as someone went through a lot of time and effort to ensure that their attack isn’t detected until it’s too late. Saumitra Das, CTO and Cofounder of Blue Hexagon agrees:

“This attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary. 

1. Reputation: Many email security systems use reputation of senders to block malicious email without being able to assess the email itself. Here they used compromised Exchange servers to make it through

2. Obfuscation: They used obfuscated file formats to deliver malware, encrypted archive – ISO – LNK – DLL to evade signature and sandboxes

3. Mutation: The DLL file was recently created so no signatures and hash lookups would help

4. Multi-Stage: The final payload is delivered over the network and not visible to email sandboxes. This shows why defense has to be done not just over email but also to go beyond and inspect the final download.”

Clearly it’s time for Exchange admins to up their game. Because these threat actors clearly have upped their game.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: