New Hacking Campaign Targeting Ukrainian Government with IcedID Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has
warned of a new wave of social engineering campaigns delivering
IcedID malware and leveraging Zimbra exploits with the goal of
stealing sensitive information.

Attributing the IcedID phishing attacks to a threat cluster
named UAC-0041, the agency said^[1] the infection sequence
begins with an email containing a Microsoft Excel document
(Мобілізаційний реєстр.xls or Mobilization Register.xls) that, when
opened, prompts the users to enable macros, leading to the
deployment of IcedID.

The information-stealing malware^[2], also known as BokBot,
has followed a similar trajectory to that of TrickBot, Emotet, and
ZLoader, evolving from its earlier roots as a banking trojan to a
full-fledged crimeware service that facilities the retrieval of
next-stage implants such as ransomware.

The second set of targeted intrusions^[3] relate to a new threat
group dubbed UAC-0097, with the email including a number of image
attachments with a Content-Location^[4]
header pointing to a remote server hosting a piece of JavaScript
code that activates an exploit for a Zimbra cross-site scripting
vulnerability (CVE-2018-6882^[5]).

In the final step of the attack chain, the injected rogue
JavaScript is used to forward victims’ emails to an email address
under the threat actor’s control, indicating a cyber espionage
campaign.

The incursions are a continuation of malicious cyber activities
targeting Ukraine since the start of the year. Recently, CERT-UA
also disclosed^[6]
that it had foiled a cyberattack by Russian adversaries to sabotage
the operations of an unnamed energy provider in the country.