Ukraine CERT warns on attacks exploiting Zimbra IcedID

Ukrainian government agencies are under a serious threat. Threat actors are exploiting Zimbra exploits and phishing attacks pushing the IcedID malware.

CERT-UA of Ukraine detected the campaigns and attributed the IcedID phishing attack to the UAC-0041, previously connected with AgentTesla distribution, and the second to UAC-0097, a currently unknown actor.

The ultimate end goal is to gain access to internal networks to perform cyber-espionage on Ukraine’s most critical government agencies.

A campaign seen distributing XLS documents named Mobilization Register.xls, distributed to recipients. Opening the document requests the user to Enable the Content for viewing, resulting in a malicious macro executing to download and run a malicious file. The GzipLoader malware, actually spreads which fetches, decrypts, and executes the final payload, IcedID.

Next campaign involves an email sent to government agencies in Ukraine, with attached images allegedly from an event where President V. Zelensky awarded Armed Forces members. These mages contain a location header that links to a web resource hosting JavaScript code that triggers the exploitation of the Zimbra CVE-2018-6882 vulnerability.

This XSS vulnerability affects Zimbra Collaboration Suite versions 8.7 and older, enabling remote attackers to inject arbitrary web script or HTML via a content-location header in email attachments.

By exploiting the flaw adds a forwarding rule for the victim’s emails to a new address under the threat actor’s control, which is clearly an espionage attempt CERT-UA advises all organizations in Ukraine using Zimbra to update to the latest available versions of the suite immediately.