The Computer Emergency Response Team of Ukraine has issued a warning about a new wave of social-engineering campaigns that deliver IcedID malware to exploit Zimbra vulnerabilities with the aim of stealing sensitive data.
Attributing the IcedID phishing attacks to a threat cluster named UAC-0041, the agency said the infection sequence begins with an email containing a Microsoft Excel document (Mobilizatsiinii reiestr.xls or Mobilization Register.xls) that, when opened, prompts the users to enable macros, leading to the deployment of IcedID.
The information-stealing malware, also known as BokBot, has followed a similar trajectory to that of TrickBot, Emotet, and ZLoader, evolving from its earlier roots as a banking trojan to a full-fledged crimeware service that facilities the retrieval of next-stage implants such as ransomware.
The incursions are a continuation of malicious cyber activities targeting Ukraine since the start of the year. CERT-UA recently revealed that Russian hackers attempted to sabotage operations at an unidentified energy supplier in Ukraine.