Posted on April 18, 2022 at 7:28 PM

New Info-Stealing Malware Discovered Targeting Ukrainian Government

Cybersecurity researchers have warned about a new wave of social engineering attacks that threat actors use to distribute the IcedID malware. The warning also noted that the threat actors deploy Zimbra exploits to steal sensitive data, specifically targeting the Ukrainian government.

The Computer Emergency Response Team of Ukraine (CERT-UA) issued the warning and provided details of the exploits.

The agency revealed that the IcedID phishing attack is linked to a threat group called UAC-0041. The threat actors start with an infection sequence in an email that includes a Microsoft Excel document. Once the targeted user opens the document, they are deceived to open macros, leading to IcedID deployment. From there, the GzipLoader malicious file delivers the final payload that is IcedIEd, which fetches, decrypts, and executes it.

The Malware Can Steal User’s Credentials

The IcedID hacking malware is a trojan that can be deployed by a threat actor to steal the account credentials of users. Apart from its primary function, it can also be deployed as a payloader for other malware types such as wipers, ransomware, and Cobalt Strike.

The second wave of attack is connected to a new threat group called UAC-0097, with email attachments that contain a Content-Location header. It comes with a remote server-holding JavaScript code that activates an attack for scripting vulnerability in Zimbra cross-site scripting. The vulnerability in question is tagged CVE-2018-6882.

The vulnerability affects Zimbra’s Collaboration Site versions 8.7 and older. It allows hackers to plant HTML or arbitrary web scripts into email attachments using a content-location header.

The Malware Has Similar Pattern With TrickBot And Zloader

According to the agency, the information-stealing malware follows a similar pattern to that of Zloader, Emotet, and TrickBot. Another observation is the fact that the malware has evolved from its easier and less complicated roots as a banking trojan to a more sophisticated and full-fledged crimewave service. As a result, it facilitates the administration of next-stage implants like ransomware.

Zimbra is a cloud-based email and collaboration platform that has several features such as cloud storage, file sharing, contacts, video conferencing, as well as instant messaging.

In the final phase of the attack, the injected JavaScript is utilized when forwarding victims’ emails to an email address under the hacker’s control, indicating a cyber espionage campaign.

The publication further explained that the attack is part of a hostile cyber activity against Ukraine, which started in January. The discovery of the hacking campaign is coming a few days after CERT-UA announced that it has foiled a Russian cyberattack that wanted to sabotage the operations of an undisclosed energy provider in the country.

Social engineering is a common hacking technique threat actors use to deceive people to give away their account details such as their personal information and passwords. In some cases, the users are tricked to send funds unknowingly to the threat actors. They accomplish this using different tactics. In some cases, they pretend to be offering services, which is nonexistent, promising rewards to their targets for accomplishing a simple task.

 In some other cases, the threat actors pretend to be someone they are not or ask for help with something that doesn’t exist. Security agencies and cybersecurity researchers keep offering advice when it comes to dealing with social engineering attacks.

One of the best ways to avoid becoming a victim is for organizations to educate employees about the different methods and techniques deployed by bad actors to perpetrate such attacks. They are also advised to use multi-factor authentication and be careful about their online interactions with strangers online.

Russia-linked Hackers Keep Targeting Critical Infrastructures In Ukraine

Russian-sponsored threat actors have always used any slight opportunity to launch attacks on critical infrastructures in Ukraine.

Last week, Ukraine revealed that it thwarted Russian attacks on its electricity grid. According to the report, Russian hackers attempted to cause a blackout by targeting the Ukrainian power grid. If the attack had succeeded, it would have hit over 2 million people, according to the Slovakian cybersecurity firm ESET and the Ukrainian government.

The attackers used a wiper malware to destroy computers at a Ukrainian energy company. The malware was designed to impact hard on targeted systems by deleting key data and rendering them useless. However, the attack was foiled, which prevented the biggest cyber-induced blackout ever.

The attack on the Ukrainian power grid is one of several attempts by the Russian military intelligence to disrupt the Ukrainian internet space and hit critical infrastructure as the war continues.