The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an urgent alert regarding a recent surge in social engineering tactics used to propagate IcedID malware and exploit vulnerabilities in the Zimbra email platform. This wave of attacks is primarily focused on extracting sensitive information from targeted users.
CERT-UA has tied these IcedID phishing attempts to a named threat group, referred to as UAC-0041. The attack begins with an email containing a malicious Microsoft Excel document, labeled “Мобілізаційний реєстр.xls” or “Mobilization Register.xls.” When recipients open this document, they are prompted to enable macros, which subsequently activates the IcedID malware.
The IcedID malware, also known as BokBot, has evolved dramatically from its origins as a banking trojan, similar to the trends observed with TrickBot, Emotet, and ZLoader. It has matured into a sophisticated crimeware platform capable of facilitating the deployment of advanced payloads, including various ransomware solutions.
A second wave of targeted attacks has been attributed to another group referred to as UAC-0097. These campaigns utilize emails that contain multiple image attachments, which employ a Content-Location header leading to a remote server. This server hosts JavaScript designed to exploit a cross-site scripting vulnerability in Zimbra (identified as CVE-2018-6882).
In the final phase of this attack chain, the compromised JavaScript code is used to redirect victims’ emails to an address controlled by the attackers, signaling a coordinated cyber espionage effort. This targeted intrusion reflects a continuation of aggressive cyber operations against Ukraine, a trend that has intensified since the beginning of the year.
CERT-UA has previously reported thwarting cyber activities aimed at undermining critical infrastructure, including a recent foiled attempt by Russian actors to disrupt the operations of an unnamed energy provider within Ukraine. These incidents underscore the ongoing risk of cyber threats in the region, particularly for organizations and individuals who may be vulnerable to such attacks.
