{ "id": "f5c17782-48fb-48fa-9293-dc596d48e1cd", "created_at": "2026-04-06T00:18:40.96751Z", "updated_at": "2026-04-10T03:37:23.77582Z", "deleted_at": null, "sha1_hash": "5ba4588460d7fd49a5895d1faa5ffe494627e491", "title": "New Conversation Hijacking Campaign Delivering IcedID", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2333166, "plain_text": "New Conversation Hijacking Campaign Delivering IcedID\r\nBy Joakim Kennedy\r\nPublished: 2022-03-28 · Archived: 2026-04-05 13:48:45 UTC\r\nThis post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates\r\nattacks with a phishing email that uses conversation hijacking to deliver IcedID.\r\nThe underground economy is constantly evolving with threat actors specializing in specific fields. One field that\r\nhas bloomed in the last few years is initial access brokers. Initial access brokers specialize in gaining an initial\r\nbeachhead access to organizations and once achieved, sell the access to other threat actors that monetize it further. \r\nSome of the customers to initial access brokers buy the access to deploy ransomware. Proofpoint has identified ten\r\naccess brokers that sell access to ransomware groups. These access brokers largely infect their victims with\r\nbanking trojans that are later used to deploy another malware at the “purchaser’s request.”\r\nOne of these banking trojans that have been used to deploy ransomware is IcedID (BokBot). IcedID was first\r\nreported on by IBM X-Force in November 2017 and the malware shared some code with Pony. While initially\r\ndesigned to steal banking credentials, like many other banking trojans, the malware has been repurposed for\r\ndeploying other malware on the infected machines.\r\nOne way IcedID infects machines is via phishing emails. The infection chain that commonly has been used is an\r\nemail with an attached password protected “zip” archive. Inside the archive is a macro enabled office document\r\nthat executes the IcedID installer. Some phishing emails reuse previously stolen emails to make the lure more\r\nconvincing. \r\nIn the new IcedID campaign we have discovered a further evolution of the threat actors’ technique. The\r\nthreat actor now uses compromised Microsoft Exchange servers to send the phishing emails from the account that\r\nthey stole from. The payload has also moved away from using office documents to the use of ISO files with a\r\nWindows LNK file and a DLL file. The use of ISO files allows the threat actor to bypass the Mark-of-the-Web\r\ncontrols, resulting in execution of the malware without warning to the user. With regards to targeting, we have\r\nseen organizations within energy, healthcare, law, and pharmaceutical sectors.\r\nInfection Chain\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 1 of 9\n\nThe attack-chain starts with a phishing email. The email includes a message about some important document and\r\nhas a password protected “zip” archive file attached. The password to the archive is given in the email body, as\r\ncan be seen in the screenshot below. What makes the phishing email more convincing is that it’s using\r\nconversation hijacking (thread hijacking). A forged reply to a previous stolen email is being used. Additionally,\r\nthe email has also been sent from the email account from whom the email was stolen from.\r\nThe content of the zip archive is shown in the screenshot below. It includes a single “ISO” file with the same\r\nfilename as the zip archive. It can also be seen that the file was created not that long before the email was sent.\r\nThe ISO file includes two files, a LNK file named “document” and a DLL file named “main.” From the\r\ntimestamps it can be concluded that the DLL file was prepared the day before while the LNK file was prepared\r\nabout a week before. It is possible that the LNK file has been used in earlier phishing emails.\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 2 of 9\n\nThe LNK file has been made to look like a document file via its embedded icon file. As can be seen in the\r\nscreenshot below, when a user double clicks the link file, it uses “regsvr32” to execute the DLL file.\r\nThe use of regsvr32 allows for proxy execution of malicious code in main.dll for defense evasion. The DLL file is\r\na loader for the IcedID payload. It contains a number of exports, most of which consist of junk code.\r\nThe loader will locate the encrypted payload, stored in the resource section of the binary. It does this through the\r\ntechnique API hashing. A decompilation of the simple hashing function is shown below.\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 3 of 9\n\nThe resulting hash is then compared with a hardcoded hash, locating the call for FindResourceA. The function is\r\ndynamically called to fetch the payload. \r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 4 of 9\n\nMemory is allocated using VirtualAlloc to hold the decrypted payload. \r\nThe IcedID “Gziploader” payload is decoded and placed in memory and then executed. GZiploader fingerprints\r\nthe machine and sends a beacon to the command and control server with information about the infected host. The\r\ninformation is smuggled through the cookies header via an HTTP GET request.\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 5 of 9\n\nThe C2 is located at yourgroceries[.]top. The C2 can respond with a further stage to be dropped and executed. The\r\nC2 did not respond with a payload during our analysis.\r\nConversation Hijacking as a Phishing Technique\r\nThe technique of hijacking an already existing conversation over email to spread malware is something threat\r\nactors have been using for a while. Normally email messages are stolen during an infection and used in future\r\nattacks to make the phishing email appear more legitimate. In the last six months, threat actors have evolved the\r\ntechnique further to make it even more convincing. Instead of sending the stolen conversation to the victim with a\r\n“spoofed” email address, threat actors are now using the email address of the victim that they stole the original\r\nemail from to make the phishing email even more convincing. \r\nKevin Beaumont reported on this conversation hijacking technique back in November 2021 being used to\r\ndistribute Qakbot. Through the investigation, he confirmed that the Microsoft Exchange servers where the emails\r\noriginated from had evidence of being exploited by ProxyShell. \r\nNew Campaign Discovered in March 2022\r\nIn the current mid-March campaign, we have discovered reuse of the same stolen conversation now being sent\r\nfrom the email address that received the latest email. Back in January when this conversation was also used, the\r\n“FROM” address was “webmaster@[REDACTED].com” with the name of the recipient of the last email in the\r\nconversation. By using this approach, the email appears more legitimate and is transported through the normal\r\nchannels which can also include security products. \r\nThe majority of the originating Exchange servers we have observed appear to also be unpatched and publicly\r\nexposed, making the ProxyShell vector a good theory. While the majority of the Exchange servers used to send the\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 6 of 9\n\nphishing emails can be accessed by anyone over the Internet, we have also seen a phishing email sent internally on\r\nwhat appears to be an “internal” Exchange server. \r\nThe code snippet below shows a small part of the email header. The IP address of the Exchange server is a local IP\r\naddress (172.29.0.12) with a top-level domain name of “local”. We can also see a header added by Exchange\r\nmarking it as an internal email. The exchange server also has added a header of the original client (172.29.5.131\r\nwhich also is a local IP address) that connected to the Exchange server over MAPI.\r\nReceived: from ExchSrv01.[REDACTED].local (172.29.0.12) by\r\n ExchSrv01.[REDACTED].local (172.29.0.12) with Microsoft SMTP Server\r\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.464.5\r\n via Mailbox Transport; Thu, 10 Mar 2022 14:34:29 +0100\r\nReceived: from ExchSrv01.[REDACTED].local (172.29.0.12) by\r\n ExchSrv01.[REDACTED].local (172.29.0.12) with Microsoft SMTP Server\r\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.464.5;\r\n Thu, 10 Mar 2022 14:34:29 +0100\r\nReceived: from ExchSrv01.[REDACTED].local ([fe80::b148:8e7:61f8:61b4]) by\r\n ExchSrv01.[REDACTED].local ([fe80::b148:8e7:61f8:61b4%6]) with mapi id\r\n 15.02.0464.005; Thu, 10 Mar 2022 14:34:29 +0100\r\n…\r\nX-MS-Exchange-Organization-AuthAs: Internal\r\nX-MS-Exchange-Organization-AuthMechanism: 04\r\nX-MS-Exchange-Organization-AuthSource: ExchSrv01.[REDACTED].local\r\nX-MS-Has-Attach: yes\r\nX-MS-Exchange-Organization-SCL: -1\r\nX-MS-Exchange-Organization-RecordReviewCfmType: 0\r\nx-ms-exchange-organization-originalclientipaddress: 172.29.5.131\r\nx-ms-exchange-organization-originalserveripaddress: fe80::b148:8e7:61f8:61b4%6\r\nWe didn’t manage to find a corresponding public IP address for this Exchange server and it is not known to us\r\nhow it was accessed by the threat actor. The only thing we managed to find was a roundcube webmail instance.\r\nThe login page is shown in the screenshot below.\r\nOne of the headers in the snippet above reported that the client connected to the server via MAPI. MAPI is a\r\nprotocol used (for example, by Outlook) to access the mailbox on an Exchange server. This suggests that the threat\r\nactor used an Exchange client instead of using SMTP to send the email. We have also seen the header “X-Mailer:\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 7 of 9\n\nMicrosoft Outlook 16.0” in multiple phishing emails. In other phishing emails a “X-Originating-IP” header can be\r\nfound. This is a header added by the Exchange server when the web interface is used. The IP address in the header\r\nis that of the client that connected to the server. We have observed both hosting providers and non-commercial IP\r\naddresses for the client IP.\r\nAttribution\r\nIn June 2021, Proofpoint released a report on different access brokers that facilitates access for ransomware\r\ngroups. Of the different threat actors, according to Proofpoint, two of them (TA577 and TA551) used IcedID as\r\ntheir malware. The techniques used by TA551 include conversation hijacking and password protected zip files.\r\nThe group is also known to use regsvr32.exe for signed binary proxy execution for malicious DLLs. \r\nSummary\r\nThe use of conversation hijacking is a powerful social engineering technique that can increase the rate of a\r\nsuccessful phishing attempt. The payload has been moved away from office documents to the use of ISO files,\r\nemploying the use of commodity packers and multiple stages to hide activity. It is important to be able to detect\r\nmalicious files in memory to detect this type of attack. We recommend you use an endpoint scanner.\r\nIoCs\r\nISO File:\r\n3542d5179100a7644e0a747139d775dbc8d914245292209bc9038ad2413b3213\r\nLoader DLL:\r\n698a0348c4bb8fffc806a1f915592b20193229568647807e88a39d2ab81cb4c2\r\nLNK File:\r\na17e32b43f96c8db69c979865a8732f3784c7c42714197091866473bcfac8250\r\nIcedID GZiploader Network:\r\nyourgroceries[.]top\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 8 of 9\n\nSource: https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nhttps://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/" ], "report_names": [ "conversation-hijacking-campaign-delivering-icedid" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434720, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ba4588460d7fd49a5895d1faa5ffe494627e491.pdf", "text": "https://archive.orkl.eu/5ba4588460d7fd49a5895d1faa5ffe494627e491.txt", "img": "https://archive.orkl.eu/5ba4588460d7fd49a5895d1faa5ffe494627e491.jpg" } }