Security News > 2022 > March > IcedID malware, in the hijacked email thread, with the insecure Exchange servers

Cyber-criminals are using compromised Microsoft Exchange servers to spam out emails designed to infect people's PCs with IcedID,.

It popped up last year when crooks hijacked a BP Chargemaster domain to spam out emails to spread IcedID. On Monday, Fortinet's FortiGuard Labs said it observed an email sent to a Ukrainian fuel company with a.zip containing a file that when opened drops IcedID on the PC. Security vendor Intezer also on Monday said it had seen unsecured Microsoft Exchange servers spamming out IcedID emails.

"While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone over the internet, we have also seen a phishing email sent internally on what appears to be an 'internal' Exchange server."

The miscreants use conversation or thread hijacking to make the email look more convincing.

One assumes if the system fingerprint indicates a system the miscreants are interested in, IcedID would be instructed to carry out further action, such as injecting extortionware, exfiltrate data or credentials, and so on.

While Intezer doesn't draw a direct line between this IcedID campaign and the cyber-crime gang labeled TA551, the analysis does note a June 2021 report by Proofpoint that highlighted TA577 and TA551's preference for using IcedID as their malware.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/29/icedid_microsoft_exchange_phishing/