Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Exchange Targeted for IcedID Reply-chain Hijacking Attacks

Microsoft Exchange Targeted for IcedID Reply-chain Hijacking Attacks

The distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email conversation threads and injects malicious payloads that are hard to spot.

IcedID is a modular banking trojan first spotted back in 2017, used mainly to deploy second-stage malware such as other loaders or ransomware.

Its operators are believed to be initial access brokers who compromise networks and then sell the access to other cybercriminals.

The ongoing IcedID campaign was discovered this month by researchers at Intezer, who have shared their findings with Bleeping Computer prior to publication.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

How the attack works

The primary method of the conversation hijacking attack is to assume control of a key email account participating in a discussion with the target, and then send a phishing message crafted to appear as a continuation of the thread.

As such, when the target receives a reply message with an attachment named and presented as something relevant to the previous discussion, the chances of suspecting fraud are reduced to a minimum.

Intezer explains that there are clues pointing to threat actors targeting vulnerable Microsoft Exchange servers to steal the credentials, as many of the compromised endpoints they found are public-facing and unpatched.

Additionally in this campaign, the analysts have seen malicious emails sent from internal Exchange servers, using local IP addresses within a more trustworthy domain, and hence unlikely to be marked as suspicious.

IcedID latest infection chain
IcedID latest infection chain (Interzer)

The email attachment sent to targets is a ZIP archive containing an ISO file, which, in turn, encloses an LNK and a DLL file. If the victim double clicks the “document.lnk”, the DLL launches to set up the IcedID loader.

The IcedID GZiploader is stored in an encrypted form in the resource section of the binary, and after decoding, it’s placed in memory and executed.

The host is then fingerprinted and the basic system information is sent to the C2 (yourgroceries[.]top) via an HTTP GET request.

Finally, the C2 responds by sending a payload to the infected machine, although that step was not performed during Intezer’s analysis.

Dynamically called function that fetches the payload
Dynamically called function that fetches the payload (Interzer)

Ties to November 2021 campaign

While Intezer’s report focuses on current and ongoing activity, it is unclear when this campaign started. It is possible that it started five months ago.

In November 2021, a Trend Micro report described a wave of attacks using ProxyShell and ProxyLogon vulnerabilities in exposed Microsoft Exchange servers to hijack internal email reply-chains and spread malware-laced documents.

The actors behind that campaign were believed to be ‘TR’, known to work with a plethora of malware, including Qbot, IcedID, and SquirrelWaffle.

Also Read: The Top 10 Best And Trusted List Of Lawyers In Singapore

All three malware pieces have been previously involved in email thread hijacking to deliver malicious payloads [1234].

Intezer puts threat group TA551 in the spotlight this time due to the use of regsvr32.exe for the DDL’s binary proxy execution and password-protected ZIP files.

The link between those two threat groups is unclear, though, but it’s not improbable that there’s some overlap or even underlying connection there.

Update your Exchange servers

We’re approaching the one-year mark since Microsoft published fixes for the ProxyLogon and ProxyShell vulnerabilities, so applying the latest security updates is well overdue.

Not doing so leaves your Exchange servers, company, and employees prey to phishing actors, cyber-espionage, and ransomware infections.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us