A threat actor is exploiting vulnerable on-prem Microsoft Exchange servers and using hijacked email threads to deliver the IceID (BokBot) trojan without triggering email security solutions.
“The payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file. The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user,” Intezer researchers Joakim Kennedy and Ryan Robinson have noted.
How the attack unfolds
The threat actor – believe to be an initial access broker – compromises vulnerable on-prem Microsoft Exchange servers and existing email accounts, then hijacks email threads by replying to them.
“The attack-chain starts with a phishing email. The email includes a message about some important document and has a password protected ‘zip’ archive file attached. The password to the archive is given in the email body,” the researchers explained.
The ZIP file contains an ISO file, which contains a LNK file named “document” and a DLL file named “main.” When the recipient double clicks the former, the latter fetches the IcedID payload, which is decoded, placed in memory, and executed.
The trojan fingerprints the machine and shares that information with the C2 server, then waits for further instruction. “The C2 did not respond with a payload during our analysis,” they concluded.
Hijacked email threads: A (relatively) new approach
Discovered in mid-March, this specific malware delivery campaign is targeting organizations in the energy, healthcare, law, and pharmaceutical sectors. Fortinet researchers revealed that one of the targets is/was a fuel company in Kyiv, Ukraine.
The threat actor is using a variety of techniques to make life for security teams and malware analysts more difficult: uncommon deployment methods (zipped ISO file), decoy code in the DLL, encrypted payload, etc.
Hijacking existing conversations over email to spread malware is not a new technique, but threat actors are refining it.
“Instead of sending the stolen conversation to the victim with a ‘spoofed’ email address, threat actors are now using the email address of the victim that they stole the original email from to make the phishing email even more convincing,” Intezer researchers explained.
The same technique was spotted being used in November 2021 by threat actors delivering the Qakbot trojan. Security researcher Kevin Beaumont and the Cryptolaemus Team have found that some of the compromised Microsoft Exchange servers sending the emails were popped via ProxyShell or ProxyLogon vulnerabilities.
Have your organizations’ on-prem Microsoft Exchange servers been compromised and are they being used to deliver malware? If you haven’t patched those vulnerabilities quickly – or at all – there’s a chance they are being leveraged by these and other attackers.
“The majority of the originating Exchange servers we have observed appear to also be unpatched and publicly exposed, making the ProxyShell vector a good theory. While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone over the Internet, we have also seen a phishing email sent internally on what appears to be an ‘internal’ Exchange server,” Intezer researchers pointed out.