{
	"id": "7c15252e-0fcd-4781-8ca1-42e9b568c1cc",
	"created_at": "2026-04-10T03:21:36.72291Z",
	"updated_at": "2026-04-10T03:22:18.139672Z",
	"deleted_at": null,
	"sha1_hash": "3cb9b8479c855b758aa23431dbeb47798c8f0ea8",
	"title": "Exchange Servers Speared in IcedID Phishing Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83869,
	"plain_text": "Exchange Servers Speared in IcedID Phishing Campaign\r\nBy Elizabeth Montalbano\r\nPublished: 2022-03-29 · Archived: 2026-04-10 03:17:39 UTC\r\nThe ever-evolving malware shows off new tactics that use email thread hijacking and other obfuscation techniques\r\nto provide advanced evasion techniques.\r\nThe ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously\r\ncompromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers\r\nalso are using stealthy new payload-delivery tactics to spread the modular malware.\r\nResearchers from Intezer earlier this month uncovered the campaign, which employs thread hijacking to send\r\nmalicious messages from stolen Exchange accounts, thus adding an extra level of evasion to the campaign’s\r\nmalicious intent, wrote researchers Joakim Kennedy and Ryan Robinson in a blog post published Monday.\r\nThe actors behind IcedID – as well as other spearphishers – have previously used phishing emails that “reuse\r\npreviously stolen emails to make the lure more convincing,” researchers wrote. However, this time the threat has\r\nevolved in a couple of key ways that make it even more dangerous to targets, which include organizations within\r\nenergy, healthcare, law and pharmaceutical sectors, researchers noted.\r\nNot only is the threat actor now using compromised Microsoft Exchange servers to send the phishing emails from\r\nthe account that they stole from, but the delivery of the malicious payload also has shifted in a way that can\r\nexecute malware without the user even knowing, researchers said.\r\n“The payload has also moved away from using office documents to the use of ISO files with a Windows LNK file\r\nand a DLL file,” researchers wrote. “The use of ISO files allows the threat actor to bypass the Mark-of-the-Web\r\ncontrols, resulting in execution of the malware without warning to the user.”\r\nPreviously the infection chain most commonly associated with IcedID phishing campaigns has been an email with\r\nan attached password-protected ZIP archive that contains a macro-enabled Office document, which executes the\r\nIcedID installer.\r\nBreakdown of the Attack Chain\r\nThe new campaign starts with a phishing email that includes a message about an important document and includes\r\na password-protected ZIP archive file attached, the password for which is included in the email body.\r\nThe email seems extra convincing to users because it uses what’s called “thread hijacking,” in which attackers use\r\na portion of a previous thread from a legitimate email found in the inbox of the stolen account.\r\nhttps://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/\r\nPage 1 of 3\n\n“By using this approach, the email appears more legitimate and is transported through the normal channels which\r\ncan also include security products,” researchers wrote.\r\nThe majority of the originating Exchange servers that researchers observed in the campaign appear to be\r\nunpatched and publicly exposed, “making the ProxyShell vector a good theory,” they wrote. ProxyShell is a\r\nremote-code execution (RCE) bug discovered in Exchange Servers last year that has since been patched but has\r\nbeen throttled by attackers.\r\nOnce unzipped, the attached file includes a single “ISO” file with the same file name as the ZIP archive that was\r\ncreated not that long before the email was sent. That ISO file includes two files: a LNK file named “document”\r\nand a DLL file named “main,” also prepared relatively recently and potentially used in previous phishing email,\r\nresearchers said.\r\nWhen a user double clicks the LNK file, it uses “regsvr32” to execute the DLL file, which allows for proxy\r\nexecution of malicious code in main.dll for defense evasion, they wrote in the post. The DLL file is a loader for\r\nthe IcedID payload.\r\nThe loader will locate the encrypted payload, which is stored in the resource section of the binary, through the\r\ntechnique API hashing. The resulting hash is then compared with a hardcoded hash, locating the call for\r\nFindResourceA, which is dynamically called to fetch the encrypted payload, researchers wrote.\r\nThe ultimate step in the attack chain is that the IcedID “Gziploader” payload is decoded and placed in memory\r\nand then executed. The GZiploader fingerprints the machine and sends a beacon to the command-and-control (C2)\r\nserver – located at yourgroceries[.]top. – with information about the infected host, which then can be used for\r\nfurther nefarious activity.\r\nEvolution of a Threat\r\nResearchers at IBM first discovered IcedID back in 2017 as a trojan targeting banks, payment card providers,\r\nmobile services providers, payroll, web mail and e-commerce sites.\r\nThe malware has evolved over the years and already has a storied history of clever obfuscation. For example, it\r\nresurfaced during the COVID-19 campaign with new functionality that uses steganography – the practice of\r\nhiding code within images to stealthily infect victims – as well as other enhancements.\r\nThe new campaign is evidence of its further evolution and could signify that IcedID is indeed becoming, as many\r\nfear, the new Emotet – a modular threat that began as a trojan but steadily evolved into one of the most dangerous\r\nmalwares ever seen.\r\n“This attack shows how much effort attackers put in all the time to evade detection and why defense in depth is\r\nnecessary,” observed Saumitra Das, CTO and co-founder at security firm Blue Hexagon, in an email to\r\nThreatpost.\r\nThis time and effort, in turn, shows a level of sophistication on the part of those behind IcedID in that they have\r\nthorough knowledge of contemporary email protections and are continuously adding new tactics as security also\r\ngrows and evolves, he said.\r\nhttps://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/\r\nPage 2 of 3\n\n“Many email security systems use reputation of senders to block malicious email without being able to assess the\r\nemail itself,” Das noted. “Here, they used compromised Exchange servers to make it through.”\r\nThe group’s use of obfuscated file formats to deliver malware, as well as the final payload’s delivery over the\r\nnetwork, also demonstrate that the threat actors know how to evade signature and sandboxes, he added.\r\n“These attacks often go much deeper than simply stealing data,” concurred Chris Clements, vice president of\r\nsolutions architecture at security firm Cerberus Sentinel, in an email to Threatpost. “The cybercriminals take the\r\ntime to read through the mailboxes to understand the inter-organization relationships and operating procedures.\r\n“To protect themselves from similar attacks, it’s critical that organizations ensure that they apply security patches\r\npromptly and thoroughly in their environment,” he added. However, what is historically true for patching remains\r\ntrue now: that it’s “a task that’s easier said than done,” Clemens acknowledged.\r\n“It really takes a cultural approach to cybersecurity to plan for failures in defenses like patch management,” he\r\nsaid.\r\nMoving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your\r\nassets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore\r\norganizations’ top risks and challenges, best practices for defense, and advice for security success in such a\r\ndynamic computing environment, including handy checklists.\r\nSource: https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/\r\nhttps://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/"
	],
	"report_names": [
		"179137"
	],
	"threat_actors": [],
	"ts_created_at": 1775791296,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3cb9b8479c855b758aa23431dbeb47798c8f0ea8.pdf",
		"text": "https://archive.orkl.eu/3cb9b8479c855b758aa23431dbeb47798c8f0ea8.txt",
		"img": "https://archive.orkl.eu/3cb9b8479c855b758aa23431dbeb47798c8f0ea8.jpg"
	}
}