IcedID Malware Is Being Used in a New Hacking Campaign Targeting the Ukrainian Government

A warning about a new wave of social engineering cyberattacks that distribute the IcedID malware and employ Zimbra exploits for sensitive data theft purposes has been recently issued by the Computer Emergency Response Team of Ukraine (CERT-UA).

More Information about the IcedID Phishing Attacks

According to the agency, the IcedID phishing attacks are linked to a threat cluster known as UAC-0041. The infection sequence begins with an email encompassing a Microsoft Excel document (Мобілізаційний реєстр.xls or Mobilization Register.xls). What happens next if opened is that the users are prompted to enable macros, resulting in IcedID deployment, because the malicious file that is run is the GzipLoader virus, which gets the final payload that is IcedID, fetching, decrypting, and executing it.

Image Source

IcedID is a banking trojan that can be employed to steal account credentials or as a loader for other malware such as Cobalt Strike, ransomware, wipers, and more.

The second wave of targeted incursions is linked to a new threat group known as UAC-0097, with email attachments including a Content-Location header referring to a remote server holding JavaScript code that activates an exploit for a Zimbra cross-site scripting vulnerability. The vulnerability under discussion is dubbed CVE-2018-6882.

Read More: