Threat Actors Hijack Email Reply Chains on Vulnerable Exchange Servers to Deliver IcedID Malware

A new email phishing operation has been noticed employing the conversation hijacking strategy to distribute the IcedID banking trojan-type malware onto compromised computers via unpatched and publicly-exposed Microsoft Exchange servers.

According to an Intezer report shared with The Hacker News,

The emails use a social engineering technique of conversation hijacking (also known as thread hijacking). A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate.

The most recent wave of attacks, which began in mid-March 2022, is believed to have targeted businesses in the energy, healthcare, legal, and pharmaceutical industries.

What Is IcedID?

IcedID (also known as BokBot) is a banking trojan-type malware that allows malicious actors to steal victims’ banking information. It was first discovered by security researchers in 2017.

More advanced threats, such as human-operated ransomware and the Cobalt Strike threat emulation software, have used this malware as an entry point.

IcedID M.O.

The IcedID banking trojan can communicate with a remote server and download next-stage implants and software, enabling threat actors to perform follow-on activities and

Read More: