New IcedID malware campaign targets unpatched Exchange Server (March 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]Another note to administrators of Microsoft Exchange Servers. Security researchers have observed a malware campaign that distributes the IcedID banking Trojan and targets Microsoft Exchange Servers that have not received all security updates. The attackers are attempting to hook into existing email threads and inject malicious payloads.


Security vendor Intezer posted the article New Conversation Hijacking Campaign Delivering IcedID  on 28 March 2022, drawing attention to the issue in question. 

Intezer on IcedID malware

Off-the-shelf malware

Meanwhile, cyber criminals can buy ransomware from so-called access brokers that provide the infrastructure to infect systems. These brokers largely infect their victims with banking Trojans, which are later used to install malware on the victims' systems – ordered by cyber criminals.

One of these banking Trojans used to spread ransomware is IcedID (BokBot). IBM X-Force first reported on IcedID in November 2017. The Trojan shares some code with the Pony malware. Originally, the malware, like many other banking Trojans, was intended to steal banking data. But then IcedID was repurposed to spread other malware on the infected computers.

Infection via phishing email

One infection vector IcedID uses are phishing emails. The usual chain of infection consists of an email with a password-protected "zip" archive attached. Inside this archive is a macro-enabled Office document that runs the IcedID installer. In some phishing emails, previously stolen emails are reused to make the attack even more hard to detect for the victim.


The above tweet that thread actors are hacking into police or government email accounts to retrieve emergency data on victims by sending mails to service providers is fitting in this schema. They have quite a bit of success with this scam and get hold of the victims' data this way, as Brian Krebs reports.

New IcedID phishing campaign discovered

In the post New Conversation Hijacking Campaign Delivering IcedID, the security researchers mention that a new phishing campaign to spread the IcedID Trojan was discovered in mid-March 2022. A further development of the threat actors' technique was noticed. The threat actors try to compromise Microsoft Exchange servers. They then send more phishing emails from accounts on the Exchange server, using mails that are already in the mailbox. This makes it very difficult for victims to detect the phishing attempt, as legitimate mails are replied to.

IcedID infection chain
IcedID infection chain, source: Intezer

The payload has also shifted from Office documents to ISO files containing a Windows LNK file and a DLL file. By using ISO files, threat actors can bypass mark-of-the-Web controls, resulting in the malware running without warning to the user. Target groups include companies in the energy, healthcare, legal and pharmaceutical sectors.

IcedID phishing mail

The attack chain begins with a phishing email. The email contains a message about an important document and has a password-protected "zip" archive file as an attachment. The password for the archive is given in the email text, as can be seen in the screenshot. What makes the phishing email even more convincing is that it uses conversation hijacking (thread hijacking). It uses a fake reply to a previously stolen email. Furthermore, the email was sent from the email account from which the email was stolen.

The contents of the zip archive contain a single "ISO" file with the same filename as the zip archive.The ISO file an LNK file called "document" and a DLL file called "main". All payloads are generated in this process in a timely manner, if applicable. The LNK file was made to look like a document file via an embedded symbol file. The DLL file is executed via a "regsvr32" command as soon as a user double-clicks on the link file.

The use of regsvr32 allows the proxy execution of malicious code in main.dll to bypass defences. This is because the DLL file acts as a loader for the IcedID payload. It contains a number of exports, most of which consist of junk code. The loader pulls the encrypted payload from the resource portion of the binary using API hashing technology.

Most of the Exchange servers that security researchers have observed as compromised appear to be unpatched and publicly accessible. The suspicion is that the ProxyShell vector was misused for the infection. But the security researchers have also found phishing emails sent via what appears to be an "internal" Exchange server. The details of the mails and the payloads can be read in the article New Conversation Hijacking Campaign Delivering IcedID. Conclusion from the campaign: make sure that the Exchange servers are not accessible via the Internet (via OWA) and, above all, that they are up to date with the latest patches.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *