Crooks abuse website contact forms to deliver IcedID malware

Microsoft researchers spotted a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware.

Security experts from Microsoft have uncovered a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware.

Threat actors behind the operation are using contact forms published on websites to deliver malicious links to enterprises using emails with fake legal threats. The emails attempt to trick recipients into clicking a link to review supposed evidence behind their allegations, but instead, they start the IcedID malware infection.

IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but it implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.

“Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.” reads the analysis published by Microsoft. “The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.”

The malicious emails tracked by the experts arrive in the recipient’s inbox from the contact form query appearing trustworthy as it was sent from trusted email marketing systems. The messages are originating from the recipient’s own contact form on their website, this means that appear as sent by an actual customer interaction or inquiry.

“As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.” continues Microsoft.

The messages composed by attackers include a link to a sites.google.com page to view the alleged stolen photos for the recipient to view.

Upon clicking the link, the recipient is redirected to a Google page that requires them to authenticate using their Google credentials, this trick allows to avoid detection.

Once the recipient will sign in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file which is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file). The payload is decrypted by using a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, in this way threat actors could remotely control the infected device.

Attackers also implemented a secondary attack chain, in case the sites.google.com page was not available users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file.

“This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IcedID malware)

[adrotate banner=”5″]

[adrotate banner=”13″]