Cybersecurity researchers at Intezar, an Israeli security firm have identified a brand-new electronic mail phishing campaign employing the conversation hijacking strategy to ship the IcedID info-stealing malware onto compromised devices by making use of vulnerable Microsoft Change servers.
"The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," researchers Joakim Kennedy and Ryan Robinson explained. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate."
The most recent wave of attacks, spotted in mid-March 2022, is believed to have targeted businesses within the energy, healthcare, law, and pharmaceutical sectors.
IcedID, (also known as BokBot) is a banking trojan-type malware that has advanced to turn into an entry-level for more refined threats, together with human-operated ransomware and the Cobalt Strike adversary simulation device.
The banking trojan has the capability of communicating with a remote server and downloading next-stage implants and software that allow malicious actors to perform follow-on activities and move laterally throughout impacted networks to spread additional malware.
Last year in June 2021, American enterprise security company Proofpoint revealed an evolving strategy within the cybercrime panorama whereby preliminary access brokers were spotted invading target networks via first-stage malware payloads equivalent to IcedID to deploy Egregor, Maze, and REvil ransomware payloads.
Previously IcedID campaigns employed website contact forms to deliver malware-laced links to organizations, the present model of the campaign banks on susceptible Microsoft Change servers to ship the lure emails from a hijacked account, indicating a further evolution of the social engineering scheme.
"The payload has also moved away from using Office documents to the use of ISO files with a Windows LNK file and a DLL file," researchers added. "The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user."
To make the phishing emails seem more legitimate, the victim’s email address is used to send fraudulent replies to an already existing email thread plundered from the compromised individual’s account.
"The use of conversation hijacking is a powerful social engineering technique that can increase the rate of a successful phishing attempt. By using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products,” the researchers concluded.