IcedID Spreads with Compromised Microsoft Exchange Servers

Industry: N/A | Level: Tactical | Source: Intezer

A new threat campaign associated with malware, IcedID has been observed by Intezer. The malware has evolved over the years from a banking trojan, to malware that's often used to deploy additional malware on compromised machines. The latest infection chain identified from Intezer, discovered assailants are initiating attacks from compromised Microsoft Exchange servers to send emails from hijacked conversation threads to increase legitimacy. Historically, IcedID has relied on the use of malicious office documents, however in the latest chain a zip file containing a malicious ISO with a DLL and LNK file is used to distribute the malware. The LNK masquerades as an office document shortcut however when triggered, regsvr32 is used to execute the DLL file.

• Anvilogic Use Cases:
• Suspicious Email Attachment
• Compressed File Execution
• regsvr32 Execution