New social engineering campaigns delivering IcedID malware and Zimbra exploits are being used to steal sensitive information, according to the Computer Emergency Response Team of Ukraine (CERT-UA).
An email containing a Microsoft Excel document (олани pестр.xls or Mobilization Register.xls) is the first step in the phishing process, according to the Russian Federal Anti-Virus Agency (UAC-0041). When opened, the document prompts users to enable macros, which results in IcedID being installed.
Since its inception as a banking trojan in 2011, the information-stealing malware known as "BokBot" has evolved into a full-scale crimeware service that facilitates the retrieval of additional implants, such as ransomware.
Emails sent by a new threat group known as UAC-0097 contained attachments with a Content-Location header that pointed to an external server that hosted JavaScript code that activated a Zimbra cross-site scripting vulnerability, according to the researchers (CVE-2018-6882).
It is in this last stage of the attack that rogue JavaScript is used to send victims' emails to an email address controlled by the threat actor.
Since the beginning of the year, Ukraine has been the target of malicious cyber activity. CERT-UA recently revealed that it had thwarted a Russian cyberattack aimed at a country's unnamed energy provider.
Post a Comment
Your suggestions and comments are welcome