A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers.
“The emails use a social engineering technique of conversation hijacking (also known as thread hijacking),” Israeli company Intezer said in a report shared with The Hacker News. “A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate.”
The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors.
IcedID, aka BokBot, like its counterparts TrickBot and Emotet, is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware and the Cobalt Strike adversary simulation tool.
It’s capable of connecting to a remote server and downloading next-stage implants and tools that allow attackers to carry out follow-on activities and move laterally across affected networks to distribute additional malware.
images from Hacker News