Threat Research

New Conversation Hijacking Campaign Delivering IcedID

Securonix

A new IcedID campaign uses conversation hijacking in phishing emails delivered from compromised Microsoft Exchange accounts to drop the IcedID loader. The operation shifts from office documents to ISO attachments, uses regsvr32 to proxy-run a DLL, and targets energy, healthcare, law, and pharmaceutical sectors. #IcedID #Qakbot #ProxyShell #TA551 #TA577 #ConversationHijacking

Keypoints

  • The campaign employs conversation hijacking to enhance the legitimacy of phishing emails sent from stolen Exchange accounts.
  • Phishing delivery has evolved from macro-enabled documents to ISO-based payloads packaged inside password-protected ZIP archives.
  • The LNK file masquerades as a document via an embedded icon, and double-clicking uses regsvr32 to run the DLL loader.
  • The loader decrypts/loading occurs in memory, using techniques like API hashing to locate payloads (FindResourceA) and VirtualAlloc for memory—then executes the IcedID payload.
  • The IcedID payload includes a Gziploader that fingerprints the machine and beacon’s back to a C2 at a specific domain, with data exfiltrated via HTTP GET cookies.
  • The campaign has been observed targeting energy, healthcare, law, and pharmaceutical sectors, and is linked to known actors and campaigns using conversation hijacking (e.g., TA577/TA551).

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The infection chain that commonly has been used is an email with an attached password protected “zip” archive. Inside the archive is a macro enabled office document that executes the IcedID installer.
  • [T1566.003] Phishing: Spearphishing via Service – The threat actor now uses compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from.
  • [T1036] Masquerading – The LNK file has been made to look like a document file via its embedded icon file.
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – As can be seen in the screenshot below, when a user double clicks the link file, it uses “regsvr32” to execute the DLL file.
  • [T1027] Obfuscated/Compressed Files or Information – The loader decrypts/loads the payload in memory; The IcedID “Gziploader” payload is decoded and placed in memory and then executed, with deobfuscation via an API-hash-based loader (FindResourceA).
  • [T1071.001] Web Protocols – The IcedID Gziploader fingerprints the machine and sends a beacon to the C2; the information is smuggled through the cookies header via an HTTP GET request.
  • [T1190] Exploit Public-Facing Application – The majority of originating Exchange servers appear unpatched and publicly exposed, making the ProxyShell vector a plausible entry point.

Indicators of Compromise

  • [File Hash] ISO file – 3542d5179100a7644e0a747139d775dbc8d914245292209bc9038ad2413b3213
  • [File Hash] Loader DLL – 698a0348c4bb8fffc806a1f915592b20193229568647807e88a39d2ab81cb4c2
  • [File Hash] LNK file – a17e32b43f96c8db69c979865a8732f3784c7c42714197091866473bcfac8250
  • [Domain] C2 – yourgroceries[.]top
  • [IP Address] Source/Client IPs observed in headers – 172.29.0.12, 172.29.5.131

Read more: https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/