Threat Watch

Share on facebook
Share on twitter
Share on linkedin

Microsoft Security Intelligence Identifies Surge of IcedID Campaigns Leading to Cobalt Strike

Recently, Microsoft has announced that they identified a cybercrime operation leveraging multiple methods to infect employee workstations with IcedID malware. The methods include a modified Zoom “standalone” installation that embeds malware in the Zoom client, as well as malicious Excel files with Excel 4.0 XLM macros, and abusing contact forms on legitimate websites to send messages to employees, TheRecord reports. These attackers use automated scripts that fill out contact request forms with a set message template, most frequently a copyright claim.  These contact request forms are emailed to site owners and contain a link to download a document which employees are instructed to view.  However, the document contains macros that download and execute IcedID, a credential stealer that can be used to load other malware, such as Cobalt Strike. Microsoft warns that when the threat actors have interactive access to the compromised workstations through Cobalt Strike, they can use that access to move laterally, take over servers, and deploy ransomware across an enterprise.

Fig 1.1, an example contact form found on a legitimate website

ANALYST NOTES

Binary Defense’s analysts recommend using care when opening any links in emails, especially if these links lead to google-hosted sites with instructions like “download and open the document”. Additionally, Binary Defense recommends deploying a 24/7 SOC monitoring solution such as binary defense’s own Security Operations Task Force. Sources: https://therecord.media/microsoft-malware-gang-uses-website-contact-forms-for-distribution/