Hackers are attacking the Ukrainian government with new attacks exploiting Zimbra vulnerabilities and phishing attacks promoting IcedID malware. The Ukraine Computer Emergency Response Team (CERT-UA) has launched new campaigns and attributed the IcedID phishing attack to the threat cluster UAC-0041, which was previously linked to the AgentTesla distribution, and the latter to UAC-0097, a currently unknown artist.

In both cases, the attackers’ aim is to gain access to internal networks for cyber espionage by Ukraine’s most important state bodies.

The first report describes a campaign to distribute XLS documents called Mobilization Register.xls, which reached many buyers. When opening the document, the user is prompted to “Include content” for viewing, causing a malicious macro to download and run the malicious file. This file is the GzipLoader malware that extracts, decrypts and executes the final payload, IcedID (also known as BankBot).

IcedID – is a modular banking trojan that can be used to steal credentials or as a downloader of additional second-level malware such as Cobalt Strike, hijackers, vipers and others.

The second report concerns an email sent to Ukrainian state officials with footage allegedly from the event where President V. Zelensky rewarded the soldiers.

The attached images contain a content location header that links to a web resource containing the JavaScript code that triggers a Zimbra CVE-2018-6882 vulnerability.

This cross-site scripting vulnerability affects Zimbra Collaboration Suite version 8.7 and earlier, and allows remote attackers to randomly distribute web script or HTML via the header location of the content in email attachments.

zimbra It is an email and collaboration platform that also includes instant messaging, contacts, video conferencing, file sharing and cloud storage. In this case, exploiting the vulnerability adds a rule that the victim’s emails are sent to a new address under the attacker’s control, which is a step towards supporting espionage.

It’s worth noting that earlier this year Zimbra had a similar issue with XSS affecting the latest versions of the 8.8.15 P29 and P30 package. This vulnerability has been actively exploited as a zero-day vulnerability by Chinese criminals who use it to steal emails from European media and government entities. Therefore, CERT-UA recommends that all organizations using Zimbra in Ukraine immediately update the package to the latest versions available. Source