This nasty malware weasels its way into your email threads
Threat actors want you to think your boss is sending you an attachment
Cybersecurity researchers have identified a new campaign whereby attackers hijack email threads to distribute malware loaders.
Experts from Intezer say that an unknown threat actor is abusing known vulnerabilities in unpatched, compromised Microsoft Exchange servers to steal login credentials.
Once an email account has been compromised, the attackers scan the inbox for email threads with potential targets, and then simply continue the conversation, adding a malicious attachment to the mix.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
Continuing the conversation
By continuing an email chain with a known party, the threat actors hope to reduce the possibility of detection to a minimum. What’s more, they seem to be using internal Exchange servers and leveraging local IP addresses within a more trustworthy domain, to further avoid detection from antivirus solutions.
The attachment usually carries a ZIP archive containing an ISO file, which itself holds an LNK and a DLL file. Should the target run the "document.lnk" file, the DLL will launch the setup for the IcedID loader.
The campaign seems to be a success, BleepingComputer asserts, as the distribution of the malware has allegedly “spiked”.
IcedID is a modular banking trojan, usually used to deploy stage-two malware. That’s why researchers believe the threat actor is most likely an access broker, who then sells on access to a target network to another party on the black market.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
When exactly the campaign started, and who is behind it, cannot be stated with absolute certainty, although Intezer seems to believe a group called TA551 kicked it off some five months ago.
TA551 doesn’t seem to have any connections with nation-states, and allegedly targets organizations in English, German, Italian, and Japanese-speaking regions of the world.
- Check out the best ransomware protection out there
Via BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.