Cyber-criminals are using compromised Microsoft Exchange servers to spam out emails designed to infect people’s PCs with IcedID,

IcedID is bad news because if you’re tricked into running it, it opens a backdoor allowing further malware, such as ransomware, to be injected into your system. Marks typically receive an encrypted .zip as an attachment, with the password in the email text, and instructions to open the contents of the archive. Doing so starts a downloader that deploys IcedID on the computer.

IcedID itself isn’t new. IBM’s X-Force threat hunters said they discovered the Windows software nasty back in 2017, when it was primarily designed to steal victims’ online banking credentials. It popped up last year when crooks hijacked a BP Chargemaster domain to spam out emails to spread IcedID.

On Monday, Fortinet’s FortiGuard Labs said it observed an email sent to a Ukrainian fuel company with a .zip containing a file that when opened drops IcedID on the PC.

Security vendor Intezer also on Monday said it had seen unsecured Microsoft Exchange servers spamming out IcedID emails. The team said they discovered the campaign in mid-March, and said it targets energy, healthcare, law, and pharmaceutical organizations. 

We’re told the servers haven’t been kept up-to-date with security fixes, allowing miscreants to exploit, for example, the ProxyShell family of vulnerabilities to take over the installations and send out malicious spam.

“The majority of the originating Exchange servers we have observed appear to also be unpatched and publicly exposed, making the ProxyShell vector a good theory,” Intezer’s Joakim Kennedy and Ryan Robinson wrote.

“While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone over the internet, we have also seen a phishing email sent internally on what appears to be an ‘internal’ Exchange server.” 

How it works

The attack begins with a phishing email that includes a message about an important document in an attached password-protected .zip archive, and the passcode in the mail body text. This is usually needed to prevent automated scanners from seeing inside the .zip.

Additionally, the miscreants use conversation or thread hijacking to make the email look more convincing. This involves looking back through email chains on the server, and forging a reply to a mark, making them think it’s a legit message. This reply also appears to come from the person the mark was conversing with, making the email look even more legit. As the security firm notes:

The use of conversation hijacking is a powerful social engineering technique that can increase the rate of a successful phishing attempt.

And while earlier campaigns used Office documents to drop malware on victims’ machines, this IcedID campaign uses ISO files with a Windows LNK shortcut file and a dynamic link library (DLL).

The LNK file looks like a document, though when a user double clicks on it, it uses the operating system’s Regsvr32 tool to execute the DLL file, which decrypts and run IcedID.

Using Regsvr32 helps the attackers avoid detection, the threat researchers wrote. This is a command-line program for registering and unregistering DLLs and embedded controls. Miscreants can use it to dodge the attention of antivirus tools and IT staff “because of allowlists or false positives from Windows using regsvr32.exe for normal operations,” MITRE ATT&CK warned. 

In this case, the tool is not used for normal operations but instead allows for proxy execution of malicious code.

In one of the attempted attacks that Intezer discovered, the loader code locates the encrypted payload in the .DLL via a technique called API hashing, if successful, the IcedID Gziploader payload is decoded, placed in memory, and executed. “GZiploader fingerprints the machine and sends a beacon to the command and control server with information about the infected host,” the researchers explained. “The information is smuggled through the cookies header via an HTTP GET request.”

In this particular analysis, the command-and-control server did respond with any nefarious commands. One assumes if the system fingerprint indicates a system the miscreants are interested in, IcedID would be instructed to carry out further action, such as injecting extortionware, exfiltrate data or credentials, and so on.

Who’s behind the new IcedID campaign?

While Intezer doesn’t draw a direct line between this IcedID campaign and the cyber-crime gang labeled TA551, the analysis does note a June 2021 report by Proofpoint that highlighted TA577 and TA551’s preference for using IcedID as their malware. 

“The techniques used by TA551 include conversation hijacking and password protected zip files,” Intezer’s duo explained. “The group is also known to use regsvr32.exe for signed binary proxy execution for malicious DLLs.”

They cited four indicators of compromise for network defenders, in the form of SHA-256 hashes for files and the command-and-control domain name:

Additionally, because this type of attack necessitates security tools that can detect malicious files in memory, the security firm recommended using an endpoint scanner. ®