Risk Assessments/Management, Breach, Network Security, Security Architecture, Data Security

IcedID email hijacking targets Microsoft Exchange servers

Threat actors have been spreading the IcedID malware in a new ongoing email hijacking campaign aimed at vulnerable Microsoft Exchange servers, BleepingComputer reports. Public-facing and unpatched Microsoft Exchange servers are being targeted by attackers behind the campaign for credential exfiltration, according to an Intezer report, which also noted the sending of malicious emails from internal Exchange servers through local IP addresses with trustworthy domains. Targets have been sent an ZIP archive attachment with an ISO file that has an LNK and DLL file, which help trigger the IcedID loader. Intezer researchers said that an encrypted form of the IcedID GZiploader is being stored within the binary's resource section before being positioned in memory and executed following decoding. An HTTP GET request will then be leveraged to send over basic system information to the command-and-control center, which will respond through delivering the payload. A similar email reply-chain hijacking attack was reported by Trend Micro in November.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.