CERT-UA recently released an advisory on IcedID, a modular banking trojan being dropped via a social engineering campaign targeting Ukrainian government entities, and related Zimbra exploits.
What is IcedID?
IcedID, also known as BokBot, is a modular banking trojan supporting a full-fledged stealer and next stage implants, such as ransomware and Cobalt Strike beacons. According to CERT-UA, a threat actor group dubbed UAC-0098 is engaging in social engineering campaigns delivering IcedID and leveraging Zimbra exploits. The threat actors are sending phishing emails containing a malicious Microsoft Excel document that uses macros to deploy IcedID. The file used in the phishing email is named Мобілізаційний реєстр.xls or Mobilization Register.xls.
Figure 1 A screenshot showing elements of the malicious Microsoft Excel file. Credit CERT-UA
PolySwarm has multiple samples associated with IcedID.
You can use the following CLI command to search for all IcedID samples in our portal:
$ polyswarm link list -f IcedID