Threat actors have been spreading the IcedID malware in a new ongoing email hijacking campaign aimed at vulnerable Microsoft Exchange servers, BleepingComputer reports.
Public-facing and unpatched Microsoft Exchange servers are being targeted by attackers behind the campaign for credential exfiltration, according to an Intezer report, which also noted the sending of malicious emails from internal Exchange servers through local IP addresses with trustworthy domains. Targets have been sent an ZIP archive attachment with an ISO file that has an LNK and DLL file, which help trigger the IcedID loader.
Intezer researchers said that an encrypted form of the IcedID GZiploader is being stored within the binary's resource section before being positioned in memory and executed following decoding. An HTTP GET request will then be leveraged to send over basic system information to the command-and-control center, which will respond through delivering the payload.
A similar email reply-chain hijacking attack was reported by Trend Micro in November.