Background
CERT-UA recently released an advisory on IcedID, a modular banking trojan being dropped via a social engineering campaign targeting Ukrainian government entities, and related Zimbra exploits.
What is IcedID?
IcedID, also known as BokBot, is a modular banking trojan supporting a full-fledged stealer and next stage implants, such as ransomware and Cobalt Strike beacons. According to CERT-UA, a threat actor group dubbed UAC-0098 is engaging in social engineering campaigns delivering IcedID and leveraging Zimbra exploits. The threat actors are sending phishing emails containing a malicious Microsoft Excel document that uses macros to deploy IcedID. The file used in the phishing email is named Мобілізаційний реєстр.xls or Mobilization Register.xls.
Figure 1 A screenshot showing elements of the malicious Microsoft Excel file. Credit CERT-UA
CERT-UA also reported a second set of intrusions perpetrated by another threat actor group, UAC-0097. In this campaign, the phishing emails included a number of image attachments with a Content-Location header pointing to a remote server. The server hosted a piece of JavaScript code that activated an exploit leveraging CVE-2018-6882, a Zimbra cross-site scripting vulnerability. In the final stage of the attack, the JavaScript is used to forward the victim’s emails to a threat actor controlled email address for espionage purposes.
IOCs
PolySwarm has multiple samples associated with IcedID.
8f7e3471c1bb2b264d1b8f298e7b7648dac84ffd8fb2125f3b2566353128e127
65b208943d8cf82af902c39400bdd7a26fdbc94c23f9d4494cf0a2ca51233213
de7bcc556dde40d347b003d891f36c2a733131593ce2b9382f0bd9ade123d54a
ac1d19c5942946f9eee6bc748dee032b97eb3ec3e4bb64fead3e5ac101fb1bc8
84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
You can use the following CLI command to search for all IcedID samples in our portal:
$ polyswarm link list -f IcedID
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports