Insights, news, education and announcements from PolySwarm

IcedID and Zimbra Exploits Target Ukrainian Government Entities

Written by PolySwarm Tech Team | Apr 22, 2022 5:38:37 PM



Background

CERT-UA recently released an advisory on IcedID, a modular banking trojan being dropped via a social engineering campaign targeting Ukrainian government entities, and related Zimbra exploits.
What is IcedID?

IcedID, also known as BokBot, is a modular banking trojan supporting a full-fledged stealer and next stage implants, such as ransomware and Cobalt Strike beacons. According to CERT-UA, a threat actor group dubbed UAC-0098 is engaging in social engineering campaigns delivering IcedID and leveraging Zimbra exploits. The threat actors are sending phishing emails containing a malicious Microsoft Excel document that uses macros to deploy IcedID. The file used in the phishing email is named Мобілізаційний реєстр.xls or Mobilization Register.xls.

 

Figure 1 A screenshot showing elements of the malicious Microsoft Excel file. Credit CERT-UA


CERT-UA also reported a second set of intrusions perpetrated by another threat actor group, UAC-0097. In this campaign, the phishing emails included a number of image attachments with a Content-Location header pointing to a remote server. The server hosted a piece of JavaScript code that activated an exploit leveraging CVE-2018-6882, a Zimbra cross-site scripting vulnerability. In the final stage of the attack, the JavaScript is used to forward the victim’s emails to a threat actor controlled email address for espionage purposes.

IOCs

PolySwarm has multiple samples associated with IcedID.

8f7e3471c1bb2b264d1b8f298e7b7648dac84ffd8fb2125f3b2566353128e127 

65b208943d8cf82af902c39400bdd7a26fdbc94c23f9d4494cf0a2ca51233213 

de7bcc556dde40d347b003d891f36c2a733131593ce2b9382f0bd9ade123d54a 

ac1d19c5942946f9eee6bc748dee032b97eb3ec3e4bb64fead3e5ac101fb1bc8 

84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238

You can use the following CLI command to search for all IcedID samples in our portal:

$ polyswarm link list -f IcedID


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe
to our reports