Security News > 2022 > March > IcedID malware, in the hijacked email thread, with the insecure Exchange servers
Cyber-criminals are using compromised Microsoft Exchange servers to spam out emails designed to infect people's PCs with IcedID,.
It popped up last year when crooks hijacked a BP Chargemaster domain to spam out emails to spread IcedID. On Monday, Fortinet's FortiGuard Labs said it observed an email sent to a Ukrainian fuel company with a.zip containing a file that when opened drops IcedID on the PC. Security vendor Intezer also on Monday said it had seen unsecured Microsoft Exchange servers spamming out IcedID emails.
"While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone over the internet, we have also seen a phishing email sent internally on what appears to be an 'internal' Exchange server."
The miscreants use conversation or thread hijacking to make the email look more convincing.
One assumes if the system fingerprint indicates a system the miscreants are interested in, IcedID would be instructed to carry out further action, such as injecting extortionware, exfiltrate data or credentials, and so on.
While Intezer doesn't draw a direct line between this IcedID campaign and the cyber-crime gang labeled TA551, the analysis does note a June 2021 report by Proofpoint that highlighted TA577 and TA551's preference for using IcedID as their malware.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/03/29/icedid_microsoft_exchange_phishing/
Related news
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- The curious story of Uncle Sam's HR dept, a hastily set up email server, and fears of another cyber disaster (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)