CERT-UA, Ukraine’s Computer Emergency Response Team, has issued a warning about a new wave of social engineering attacks that exploit IcedID malware and Zimbra vulnerabilities to steal sensitive data. According to the CIA, the IcedID phishing assaults are tied to a threat cluster known as UAC-0041. The infection begins with a simple email attachment containing a Microsoft Excel document (олани pестp.xls or Mobilization Register.xls) that, when read, encourages users to enable macros, culminating in IcedID deployment. BokBot, also known as TrickBot, Emotet, and ZLoader, is a data-stealing virus that has progressed from its early days as a banking trojan to a full-fledged crimeware service that aids in the recovery of next-stage infections such as ransomware.
The second round of targeted attacks is linked to the new threat group UAC-0097, and the email contains many photo attachments with a Content-Location header pointing to a remote server containing JavaScript code that launches an exploit for a Zimbra cross-site scripting vulnerability (CVE-2018-6882).
The injected malicious JavaScript is used to transmit victims’ emails to an email address controlled by the threat actor in the last stage of the attack chain, suggesting cyber espionage activities. The hacks are part of a pattern of aggressive cyber activities against Ukraine that started in January. A cyberattack by Russian opponents aimed at disrupting the operations of an undisclosed Ukrainian energy supplier was recently prevented, according to CERT-UA.
While we’re on the issue of IcedID Malware, BokBot OALabs created a video in 2018 in which he unpacks IcedID Malware. I recommend watching the OALabs video if you want to learn more about how this malware operates.