The ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers also are using stealthy new payload-delivery tactics to spread the modular malware.
Researchers from Intezer earlier this month uncovered the campaign, which employs thread hijacking to send malicious messages from stolen Exchange accounts, thus adding an extra level of evasion to the campaign’s malicious intent, wrote researchers Joakim Kennedy & Ryan Robinson in a blog post.
Spearphishers
The players behind IcedID – as well as other spearphishers have previously used phishing emails that “reuse previously stolen emails to make the lure more convincing,” researchers wrote.
However, now the threat has evolved in several key ways that make it even more dangerous to targets, which include organisations within energy, healthcare, law & pharmaceutical sectors, researchers noted.
Not only is the threat player now using compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from, but the delivery of the malicious payload also has evolved in a way that can execute malware without the user even knowing, researchers observed.
ISO Files
“The payload has also moved away from using office documents to the use of ISO files with a Windows LNK file & a DLL file,” researchers wrote. “The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user.”
Previously the infection chain most commonly associated with IcedID phishing campaigns has been an email with an attached password-protected ZIP archive that contains a macro-enabled Office document, which executes the IcedID installer.
Breakdown of the Attack Chain
The new campaign starts with a phishing email that includes a message about an important document & includes a password-protected ZIP archive file attached, the password for which is included in the email body.
The email seems extra convincing to users because it uses what is called “thread hijacking,” in which attackers use a portion of a previous thread from a legitimate email found in the inbox of the stolen account.
“By using this approach, the email appears more legitimate & is transported through the normal channels which can also include security products,” researchers wrote.
Proxy Shell
The majority of the originating Exchange servers that researchers saw in the campaign appear to be unpatched & publicly exposed, “making the Proxy Shell vector a good theory,” they wrote. Proxy Shell is a remote-code execution (RCE) bug discovered in Exchange Servers last year that has since been patched but has been throttled by attackers.
When unzipped, the attached file includes a single “ISO” file with the same file name as the ZIP archive that was created not that long before the email was sent. That ISO file includes 2 files: a LNK file named “document” & a DLL file named “main,” also prepared relatively recently & potentially used in previous phishing email, researchers stated.
Malicious Code
When a user double clicks the LNK file, it uses “regsvr32” to execute the DLL file, which allows for proxy execution of malicious code in main.dll for defence evasion, they wrote. The DLL file is a loader for the IcedID payload.
The loader will locate the encrypted payload, which is stored in the resource section of the binary, through the technique API hashing. The resulting hash is then compared with a hardcoded hash, locating the call for Find Resource A, which is called to fetch the encrypted payload, researchers wrote.
The ultimate step in the attack chain is that the IcedID “Gziploader” payload is decoded & placed in memory & then executed. The GZiploader fingerprints the machine & sends a beacon to the command-&-control (C2) server – located at yourgroceries[.]top. with information about the infected host, which then can be used for further bad activity.
Evolution of a Threat
Researchers at IBM 1st discovered IcedID back in 2017 as a trojan targeting banks, payment card providers, mobile services providers, payroll, web mail & e-commerce sites.
The malware has evolved over the years & already has a history of clever hiding. E.g., it resurfaced during the COVID-19 campaign with new functionality that uses ‘steganography’ – the practice of hiding code within images to stealthily infect victims, as well as other enhancements.
The new campaign is evidence of its further evolution & could signify that IcedID is indeed becoming, as many fear, the new Emotet – a modular threat that began as a trojan but steadily evolved into 1 of the most dangerous malwares ever seen.
Evade Detection
“This attack shows how much effort attackers put in all the time to evade detection & why defence in depth is necessary,” observed Saumitra Das, CTO & Co-Founder at security firm Blue Hexagon.
This effort shows a level of sophistication by those behind IcedID in that they have thorough knowledge of contemporary email protections & are continuously adding new tactics as security also grows & evolves, he explained.
Exchange Servers
“Many email security systems use reputation of senders to block malicious email without being able to assess the email itself,” Das noted. “Here, they used compromised Exchange servers to make it through.”
The group’s use of hidden file formats to deliver malware, as well as the final payload’s delivery over the network, also demonstrate that the threat players know how to evade signature & sandboxes, he added.
“These attacks often go much deeper than simply stealing data,” concurred Chris Clements, VP of Solutions Architecture at security firm Cerberus Sentinel.
“The cyber-criminals take the time to read the mailboxes to understand the inter-organisation relationships & operating procedures.
Security Patches
“To protect themselves from similar attacks, it’s critical that organisations ensure that they apply security patches promptly & thoroughly in their environment,” he added. However, what is historically true for patching remains true now: that it is “a task that’s easier said than done,” Clemens acknowledged.
“It really takes a cultural approach to cyber-security to plan for failures in defences like patch management,” he concluded.