The Computer Emergency Response Team of Ukraine has issued a warning about a new wave of social-engineering campaigns that deliver IcedID malware to exploit Zimbra vulnerabilities with the aim of stealing sensitive data.
Attributing the IcedID phishing attacks to a threat cluster named UAC-0041, the agency said the infection sequence begins with an email containing a Microsoft Excel document (Mobilizatsiinii reiestr.xls or Mobilization Register.xls) that, when opened, prompts the users to enable macros, leading to the deployment of IcedID.
The information-stealing malware, also known as BokBot, has followed a similar trajectory to that of TrickBot, Emotet, and ZLoader, evolving from its earlier roots as a banking trojan to a full-fledged crimeware service that facilities the retrieval of next-stage implants such as ransomware.
The second set of targeted intrusions relate to a new threat group dubbed UAC-0097, with the email including a number of image attachments with a Content-Location header pointing to a remote server hosting a piece of JavaScript code that activates an exploit for a Zimbra cross-site scripting vulnerability (CVE-2018-6882).
In the last step in the attack chain the injected JavaScript is used for forwarding victims’ email to an address controlled by the threat actor. This indicates a cyber-espionage campaign.
The incursions are a continuation of malicious cyber activities targeting Ukraine since the start of the year. CERT-UA recently revealed that Russian hackers attempted to sabotage operations at an unidentified energy supplier in Ukraine.
