IcedID Targets Msoft Exchange Hijacking Campaign

Researchers at Intezer has reported a new hijacking campaign that targets Microsoft Exchange with the IcedID modular banking trojan. Researchers with Intezer described the new campaign, which initiates with a phishing email, as a further evolution of the threat actors’ technique. The researchers have seen this technique used to target organizations within energy, healthcare, law and pharmaceutical sectors. In response to these findings, an expert with Blue Hexagon has offered perspectives.

Experts Comments

March 29, 2022
Saumitra Das
CTO and Co-founder
Blue Hexagon

This attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary. 

1. Reputation: Many email security systems use reputation of senders to block malicious email without being able to assess the email itself. Here they used compromised Exchange servers to make it through

2. Obfuscation: They used obfuscated file formats to deliver malware, encrypted archive - ISO - LNK - DLL to evade signature and sandboxes

3. Mutation: The DLL file was

.....Read More

This attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary. 

1. Reputation: Many email security systems use reputation of senders to block malicious email without being able to assess the email itself. Here they used compromised Exchange servers to make it through

2. Obfuscation: They used obfuscated file formats to deliver malware, encrypted archive - ISO - LNK - DLL to evade signature and sandboxes

3. Mutation: The DLL file was recently created so no signatures and hash lookups would help

4. Multi-Stage: The final payload is delivered over the network and not visible to email sandboxes. This shows why defense has to be done not just over email but also to go beyond and inspect the final download.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.