Malicious attacks take different methods to carry out harmful operations on their targets. The Computer Emergency Response Team of Ukraine (CERT-UA) recently revealed a new wave of malware hacking techniques. According to them, the social engineering campaigns infect targets with IcedID malware. The malware uses Zimbra exploits to steal sensitive information.
Additionally, the Ukrainian agency mentioned that the IcedID malware acts like the previous UAC-0041 threat cluster. The attackers send an email with a Microsoft Excel doc (Mobilization Register xls). Once the targeted user opens the file, the malware will require the target to enable macros. As the target enables it, the command will deploy the IcedID malware automatically.
How the IcedID malware evolves
IcedID is usually a banking malware targeting accounts credentials. It could also become a loader that introduces other malware such as ransomware into a system. By operating as ransomware, BokBot could use encryption and retrieve sensitive information from the user’s system. It usually holds the targets organizations at ransom by encrypting its files. By that, a company would lose access to all its files, applications, and databases. Only after paying the ransom, which the attackers demand, would the company regain access to all its data and information.
BokBot maintains the same pattern of operation as banking Trojans such as Emotet, ZLoader, and TrickBot. It starts from this level and gradually improves to become a deadly crimeware service. Then it will finally load ransomware into the target’s device.
The second level in which this malware operates is a threat group called UAC-0097. In this case, the email contains some image attachments featuring a Content-Location header. This will redirect the user to a remote server that carries JavaScript code. Subsequently, the code will activate the attack on Zimbra’s cross-site scripting vulnerability (CVE-2018-6882).
The cross-site scripting flaw mostly targets Zimbra Collaboration Suite Ver 8.7 and other older versions. It allows hackers to introduce HTML or a web script through the content-location header in the email attachments. For its last leg of attack, the actor will use JavaScript code in the target’s system. It will automatically send the user’s emails to the attacker’s email. This sequence displays a cyber-espionage campaign by the imposters.
Zimbra flaw aids attacks
Zimbra is a widely-used email & collaboration platform where users can send instant messages, do video conferencing and save contacts. Also, you can use the platform to share files and also store files in the cloud.
By exploiting this Zimbra vulnerability, hackers enable a forwarding action for their target’s emails to another address under them. Before this recent attack, Zimbra faced such problems earlier this same. The attack affected several versions of the suite, including 8.8.15 P29 and P30 versions.
Zimbra’s vulnerability also enabled Chinese threat actors to steal European government and media organizations’ emails. Moreover, CERT-UA revealed that earlier, its Russian adversaries had planned a cyberattack on the country, which it had uncovered. The agency reported that the purpose of the attack was to sabotage the activities of an energy provider in Ukraine.
That’s the more reason CERT-UA recommends that all the organizations in the country using the suite should update it immediately. It is safer to use the latest versions without the vulnerability.
