IcedID Targets Msoft Exchange Hijacking Campaign

By   ISBuzz Team
Writer , Information Security Buzz | Mar 29, 2022 05:41 am PST

Researchers at Intezer has reported a new hijacking campaign that targets Microsoft Exchange with the IcedID modular banking trojan. Researchers with Intezer described the new campaign, which initiates with a phishing email, as a further evolution of the threat actors’ technique. The researchers have seen this technique used to target organizations within energy, healthcare, law and pharmaceutical sectors. In response to these findings, an expert with Blue Hexagon has offered perspectives.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Saumitra Das
Saumitra Das , CTO and Co-founder
March 29, 2022 1:41 pm

This attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary. 

1. Reputation: Many email security systems use reputation of senders to block malicious email without being able to assess the email itself. Here they used compromised Exchange servers to make it through

2. Obfuscation: They used obfuscated file formats to deliver malware, encrypted archive – ISO – LNK – DLL to evade signature and sandboxes

3. Mutation: The DLL file was recently created so no signatures and hash lookups would help

4. Multi-Stage: The final payload is delivered over the network and not visible to email sandboxes. This shows why defense has to be done not just over email but also to go beyond and inspect the final download.

Last edited 1 year ago by Saumitra Das

Recent Posts

Would love your thoughts, please comment.x