Researchers at Intezer has reported a new hijacking campaign that targets Microsoft Exchange with the IcedID modular banking trojan. Researchers with Intezer described the new campaign, which initiates with a phishing email, as a further evolution of the threat actors’ technique. The researchers have seen this technique used to target organizations within energy, healthcare, law and pharmaceutical sectors. In response to these findings, an expert with Blue Hexagon has offered perspectives.
This attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary.
1. Reputation: Many email security systems use reputation of senders to block malicious email without being able to assess the email itself. Here they used compromised Exchange servers to make it through
2. Obfuscation: They used obfuscated file formats to deliver malware, encrypted archive – ISO – LNK – DLL to evade signature and sandboxes
3. Mutation: The DLL file was recently created so no signatures and hash lookups would help
4. Multi-Stage: The final payload is delivered over the network and not visible to email sandboxes. This shows why defense has to be done not just over email but also to go beyond and inspect the final download.