Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers.

“The emails use a social engineering technique of conversation hijacking (also known as thread hijacking),” Israeli company Intezer said in a report shared with The Hacker News. “A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate.”

The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within the energy, healthcare, law, and pharmaceutical sectors.

IcedID, aka BokBot, like its counterparts TrickBot and Emotet, is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware and the Cobalt Strike adversary simulation tool.

It’s capable of connecting to a remote server and downloading next-stage implants and tools that allow attackers to carry out follow-on activities and move laterally across affected networks to distribute additional malware. Read more:https://bit.ly/3uDs6W2

Leave a Reply

Your email address will not be published. Required fields are marked *