IcedID Malware Used By Hackers On Compromised Microsoft Exchange Servers To Spam Out Emails 
Reading Time: 2 minutes

IcedID malware used by hackers on compromised Microsoft Exchange servers to spam out emails designed to infect people’s PCs.

IcedID malware once triggered by tricked victims runs and opens a backdoor leading to more malware being injected into their system. Victims generally receive an encrypted .zip as an attachment, with the password in the email text, and instructions to open the contents of the archive. Once the downloader is triggered, IcedID is deployed on the computer.

IBM’s X-Force threat hunters discovered IcedID back in 2017, it was primarily designed to steal victims’ online banking credentials. It reappeared last year when hackers compromised a BP Chargemaster domain to spam out emails to spread IcedID.

According to Fortinet’s FortiGuard Labs, they viewed an email sent to a Ukrainian fuel company with a .zip containing a file that when opened drops IcedID on the PC.

Intezer, a security firm, said they discovered unsecured Microsoft Exchange servers spamming out IceID emails. The campaign was running in mid-March and targeted energy, healthcare, law, and pharmaceutical organizations. 

They further added, the servers were not up to date with security fixes which allowed the hackers to exploit them. Thus enabling the ProxyShell vulnerabilities to take over the installations and send out malicious spam.

Intezer’s Joakim Kennedy and Ryan Robinson mentioned, “The majority of the originating Exchange servers we have observed appear to also be unpatched and publicly exposed, making the ProxyShell vector a good theory.”

He further explained, “While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone over the internet, we have also seen a phishing email sent internally on what appears to be an ‘internal’ Exchange server.” 

IcedID Operators
Intezer has found links between the IcedID campaign and the cyber-crime gang labeled TA551. Proofpoint also in its June 2021report mentioned TA577 and TA551’s preference for using IcedID as their malware. 

Intezer researchers further explained, “The techniques used by TA551 include conversation hijacking and password protected zip files. The group is also known to use regsvr32.exe for signed binary proxy execution for malicious DLLs.”

They pointed out four indicators of compromise for network defenders, in the form of SHA-256 hashes for files and the command-and-control domain name:

ISO File:

3542d5179100a7644e0a747139d775dbc8d914245292209bc9038ad2413b3213

Loader DLL:

698a0348c4bb8fffc806a1f915592b20193229568647807e88a39d2ab81cb4c2

LNK File:

a17e32b43f96c8db69c979865a8732f3784c7c42714197091866473bcfac8250

IcedID GZiploader Network:

Yourgroceries[.]top

The security firm has recommended organizations to use an endpoint scanner as the attack requires security tools to detect malicious files in memory. 

Related Articles:
Redis Servers under Muhstik Botnet Attack using Recently Disclosed Vulnerability
Okta Accepts its Mistake in Handling the Lapsus$ Attack
Chatbot Scam- Cyber Criminals Sending Phishing Emails to Trace Deliveries