Threat actors target the Ukrainian gov with IcedID malware

Threat actors are targeting Ukrainian government agencies with phishing attacks delivering the IcedID malware.

The Ukrainian Computer Emergency Response Team (CERT-UA) uncovered new phishing campaigns aimed at infecting systems of Ukrainian government agencies with the IcedID malware.

IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but it implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.

The phishing messages uncovered by CERT-UA were using weaponized an Excel document named “Mobilization Register.xls”.

Upon opening the document and enabling the embedded macro, it will download and run the executable file that decrypts and run the GzipLoader which act ad loader for the IcedID malware.

“The downloaded EXE file will decrypt and run the GzipLoader malware on your computer, which in turn will download, decrypt and run the IcedID malware. This malware (also known as BankBot) belongs to the class of “banking Trojans” and, among other things, provides theft of authentication data.” reads the analysis published by CERT-UA.

CERT-UA associated the phishing attacks with the threat actor tracked as UAC-0041.

The attackers are attempting to spread the IcedID malware to gain access to the government networks and gather intelligence. The malware could also be used to load additional malicious payloads to further compromise the targeted organization.

Ukraine’s CERT (CERT-UA) also published a separate advisory to warn of threat actors that are targeting government organizations with exploits for XSS vulnerabilities in Zimbra Collaboration Suite (CVE-2018-6882).

“Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.” reads the description of this issue published by the NIST NVD.

The CERT-UA uncovered a cyber espionage campaign conducted by nation-state actors, attackers used phishing messages with the subject “Volodymyr Zelenskyy presented the Golden Star Orders to serve the Armed Forces of Ukraine and members of the families of the fallen Heroes of Ukraine “.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]