Posted on March 29, 2022 at 11:23 AM

Hackers hijack conversations in a new email phishing campaign

Email phishing campaigns have become quite popular among hackers. Email phishing campaigns are done by hackers to gain access to user devices to steal sensitive information.

In the recently detected email phishing campaign, hackers were using a technique of hijacking conversations to deliver the IcedID information-stealing malware. This malware was then deployed into the infected devices through unpatched Microsoft Exchange servers exposed to the public.

Hackers unleash a new email phishing campaign

Intezer, an Israeli-based company, exposed the details of this new phishing campaign. In this new campaign, the hackers are using focusing on credibility to lure the targeted people into opening the attachments.

“The emails use a social engineering technique of conversation hijacking (also known as thread hijacking). A forged reply to a previous stolen email is being used to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate,” the Intezer report said.

These phishing campaigns target organizations that deal in critical sectors such as energy, healthcare, law and the pharmaceutical sector. The latest wave of email phishing campaigns using this technique and targeting the said organizations was detected in mid-March 2022.

IcedID, also known as BokBot, is a banking trojan that functions similarly to TrickBot and Emotet. The banking trojan has evolved significantly in usage, and it is now being adopted as an entry point for launching sophisticated threats. Some of the attacks conducted using this malware include the Cobalt Strike adversary simulation tool and the human-operated ransomware.

IcedID has a lot of potential, hence its growing usage by cybercriminals. IcedID can be used to connect a remote server and then download the next-stage implants and tools. The attacker then uses these features to conduct follow-up activities and gain freedom of moving across the affected networks. This empowers the attacker to distribute more malware through a single entry point.

This is not the first time this form of attack has been detected and reported. In June last year, Proofpoint, a cybersecurity organization, reported a new technique used by cybercriminals, where the initial access brokers were used to infiltrate the targeted networks. These brokers accessed these networks using first-stage malware payloads such as IcedID to deploy Egregor, Maze and REvil ransomware payloads.

Phishing campaigns exploiting vulnerable Microsoft Exchange servers

The current version of IcedID is different. Previously, IcedID campaigns targeted website contract forms to send malware links to the targeted organizations. With the current version of IcedID campaigns, the attackers exploit vulnerable Microsoft Exchange servers.

“The majority of the originating Exchange servers we have observed appear to also be unpatched and publicly exposed, making the ProxyShell vector a good theory. While most of the Exchange servers used to send the phishing emails can be accessed by anyone over the internet, we have also seen a phishing email sent internally on what appears to be an ‘internal’ exchange server,” the report added.

The servers are exploited to send malicious emails from an account that has already been hijacked. This is a notable evolvement from how IcedID operations used to be conducted.

Cybersecurity researchers Joakim Kennedy and Ryan Robinson commented on the development, saying, “The payload has also moved away from using Office documents to the use of ISO files with a Windows LNK file and a DLL file. The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user.”

These attacks were being done to guarantee credibility to the recipients of these emails. The malware was distributed as a fraudulent reply to an existing email thread. The email thread previously existed with the target victims. To make the email appear authentic, the researchers sent these replies using the actual email address of the compromised individual.

The researchers concluded that “The use of conversation hijacking is a powerful social engineering technique that can increase the rate of a successful phishing attempt. The payload has been moved away from office documents to the use of ISO files, employing the use of commodity packers and multiple stages to hide activity. It is important to be able to detect malicious files in memory to detect this type of attack.”