Banking Trojan IcedID (BokBot) is back again with a new phishing campaign targeting unpatched and previously compromised Microsoft Exchange servers to send emails that were supposedly delivered from legitimate accounts. Once an account is compromised, attackers scan the inbox for potential targets, continue the conversation, and add a malicious attachment.
Researchers from Intezer uncovered the campaign earlier this month. The security firm claims that attackers made use of thread hijacking to send malicious messages from stolen Internal Exchange servers used to leverage local IP addresses while adding an extra layer of evasion to the entire operation.
The email usually consists of a ZIP archive attachment that contains an ISO file with an LNK or DLL file. If a user runs the ‘document.lnk’ file, the setup for the IcedID loader is initiated.
The banking Trojan is usually used to deploy stage-two malware. Security researchers state that the attacker may have been an access broker, someone who provides ransomware groups with the network and system access required for data thefts.
The exact date and extent of the campaign are not yet known. However, Intezer believes that a group called TA551 may have started the attack five months ago.