Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Microsoft Exchange Targeted for IcedID Reply-chain Hijacking Attacks

Microsoft Exchange Targeted for IcedID Reply-chain Hijacking Attacks

The distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email conversation threads and injects malicious payloads that are hard to spot.

IcedID is a modular banking trojan first spotted back in 2017, used mainly to deploy second-stage malware such as other loaders or ransomware.

Its operators are believed to be initial access brokers who compromise networks and then sell the access to other cybercriminals.

The ongoing IcedID campaign was discovered this month by researchers at Intezer, who have shared their findings with Bleeping Computer prior to publication.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

How the attack works

The primary method of the conversation hijacking attack is to assume control of a key email account participating in a discussion with the target, and then send a phishing message crafted to appear as a continuation of the thread.

As such, when the target receives a reply message with an attachment named and presented as something relevant to the previous discussion, the chances of suspecting fraud are reduced to a minimum.

Intezer explains that there are clues pointing to threat actors targeting vulnerable Microsoft Exchange servers to steal the credentials, as many of the compromised endpoints they found are public-facing and unpatched.

Additionally in this campaign, the analysts have seen malicious emails sent from internal Exchange servers, using local IP addresses within a more trustworthy domain, and hence unlikely to be marked as suspicious.

IcedID latest infection chain
IcedID latest infection chain (Interzer)

The email attachment sent to targets is a ZIP archive containing an ISO file, which, in turn, encloses an LNK and a DLL file. If the victim double clicks the “document.lnk”, the DLL launches to set up the IcedID loader.

The IcedID GZiploader is stored in an encrypted form in the resource section of the binary, and after decoding, it’s placed in memory and executed.

The host is then fingerprinted and the basic system information is sent to the C2 (yourgroceries[.]top) via an HTTP GET request.

Finally, the C2 responds by sending a payload to the infected machine, although that step was not performed during Intezer’s analysis.

Dynamically called function that fetches the payload
Dynamically called function that fetches the payload (Interzer)

Ties to November 2021 campaign

While Intezer’s report focuses on current and ongoing activity, it is unclear when this campaign started. It is possible that it started five months ago.

In November 2021, a Trend Micro report described a wave of attacks using ProxyShell and ProxyLogon vulnerabilities in exposed Microsoft Exchange servers to hijack internal email reply-chains and spread malware-laced documents.

The actors behind that campaign were believed to be ‘TR’, known to work with a plethora of malware, including Qbot, IcedID, and SquirrelWaffle.

Also Read: The Top 10 Best And Trusted List Of Lawyers In Singapore

All three malware pieces have been previously involved in email thread hijacking to deliver malicious payloads [1234].

Intezer puts threat group TA551 in the spotlight this time due to the use of regsvr32.exe for the DDL’s binary proxy execution and password-protected ZIP files.

The link between those two threat groups is unclear, though, but it’s not improbable that there’s some overlap or even underlying connection there.

Update your Exchange servers

We’re approaching the one-year mark since Microsoft published fixes for the ProxyLogon and ProxyShell vulnerabilities, so applying the latest security updates is well overdue.

Not doing so leaves your Exchange servers, company, and employees prey to phishing actors, cyber-espionage, and ransomware infections.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us