Recently, Microsoft has announced that they identified a cybercrime operation leveraging multiple methods to infect employee workstations with IcedID malware. The methods include a modified Zoom “standalone” installation that embeds malware in the Zoom client, as well as malicious Excel files with Excel 4.0 XLM macros, and abusing contact forms on legitimate websites to send messages to employees, TheRecord reports. These attackers use automated scripts that fill out contact request forms with a set message template, most frequently a copyright claim. These contact request forms are emailed to site owners and contain a link to download a document which employees are instructed to view. However, the document contains macros that download and execute IcedID, a credential stealer that can be used to load other malware, such as Cobalt Strike. Microsoft warns that when the threat actors have interactive access to the compromised workstations through Cobalt Strike, they can use that access to move laterally, take over servers, and deploy ransomware across an enterprise.
Fig 1.1, an example contact form found on a legitimate website
Binary Defense’s analysts recommend using care when opening any links in emails, especially if these links lead to google-hosted sites with instructions like “download and open the document”. Additionally, Binary Defense recommends deploying a 24/7 SOC monitoring solution such as binary defense’s own Security Operations Task Force.
The recent surge of IcedID campaigns indicate that this malware family is likely being used to fill in some of the void left by recent malware infrastructure disruptions. We are tracking multiple active IcedID campaigns of various sizes, delivery methods, and targets. pic.twitter.com/Qfsii7q0uu
— Microsoft Security Intelligence (@MsftSecIntel) April 13, 2021