Highlights

  • Healthcare, energy, law, and pharmaceutical industries are believed to be the prime target of the latest wave of attacks witnessed in mid-March 2022.
  • The existing attack versions bank on vulnerable Microsoft exchange servers to send alluring emails through a hijacked account, suggesting a further evolution of the social engineering scheme.

A new email phishing campaign has been seen benefiting from the conversion hijacking strategy to deliver the IcedID info-stealing malware onto infected machines by utilizing unpatched and publicly exposed Microsoft Exchange Servers.

Intezer, an Israeli firm, said in a report that was shared with a digital news agency, “The emails use a social engineering technique of conversation hijacking (also known as thread hijacking). A forged reply to a previous stolen email is being used to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate.”

Several industries like energy, healthcare, law, and the pharmaceutical sector are believed to have become the primary target of the latest wave of attacks that were identified in mid-March 2022.

IcedID, also known as BokBot, and other similar apps like TrickBot and Emotet, is a banking trojan that has become an attack surface for more sophisticated threats such as human-operated ransomware attacks and Cobalt Strike adversary simulation tools.

It can connect to a remote server and download advanced implants and tools that assist attackers in executing follow-on tasks and move laterally through affected networks to spread additional malware.

Last year in June, Proofpoint, an enterprise security organization, revealed an evolving strategy in the cybercrime landscape wherein initial access brokers were noticed penetrating target networks through first stage malware payloads like IcedID to deploy Egregor, Maze, and Ravil ransomware payloads.

Previously, IcedID campaigns have benefitted from the website contact forms to send malware-laced links to enterprises. The existing attack versions bank on vulnerable Microsoft exchange servers to send alluring emails through a hijacked account, suggesting a further evolution of the social engineering scheme.

The motive is to send fraudulent replies to existing email threads that come from the target’s account by utilizing the compromised users’ email addresses to give their phishing email a more legitimate appearance.

Experts’ view

“The payload has also moved away from using Office documents to using ISO files with a Windows LNK file and a DLL file. The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user,” researchers Joakim Kennedy and Ryan Robinson said.

“The use of conversation hijacking is a powerful social engineering technique that can increase the rate of a successful phishing attempt. Using this approach, the email appears more legitimate and is transported through the normal channels, including security products,” the researchers concluded.