# Hackers target Ukrainian govt with IcedID malware, Zimbra exploits **[bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/](https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) April 14, 2022 11:09 AM 0 ----- Hackers are targeting Ukrainian government agencies with new attacks exploiting Zimbra exploits and phishing attacks pushing the IcedID malware. The Computer Emergency Response Team of Ukraine (CERT-UA) detected the new campaigns and attributed the IcedID phishing attack to the UAC-0041 threat cluster, previously connected with AgentTesla distribution, and the second to UAC-0097, a currently unknown actor. Although attributions are moderately confident, this is another snapshot of the malicious cyber-activity targeting Ukrainian entities. In both cases, the goal of the threat actors is to gain access to internal networks to perform cyber-espionage on Ukraine's most critical government agencies. ## IcedID infecting state orgs The first report describes a campaign distributing XLS documents named "Mobilization Register.xls," reaching many recipients. Opening the document requests the user to "Enable the Content" for viewing, resulting in a malicious macro executing to download and run a malicious file. This file is the GzipLoader malware, which fetches, decrypts, and executes the final payload, [IcedID (aka BankBot).](https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/) IcedID is a modular banking trojan that can be used for stealing account credentials or as a loader of additional, second-stage malware such as Cobalt Strike, ransomware, wipers, and more. ----- **Details from the IcedID campaign** _(CERT-UA)_ ## Spying on government emails The second report involves an email sent to government agencies in Ukraine, with attached images allegedly from an event where President V. Zelensky awarded Armed Forces members. ----- **Email with malicious jpg attachments** _(CERT-UA)_ The attached images contain a content-location header that links to a web resource hosting [JavaScript code that triggers the exploitation of the Zimbra CVE-2018-6882 vulnerability.](https://nvd.nist.gov/vuln/detail/CVE-2018-6882) This cross-site scripting vulnerability affects Zimbra Collaboration Suite versions 8.7 and older, enabling remote attackers to inject arbitrary web script or HTML via a content-location header in email attachments. Zimbra is an email and collaboration platform that also includes instant messaging, contacts, video conferencing, file sharing, and cloud storage capabilities. In this case, exploiting the flaw adds a forwarding rule for the victim's emails to a new address under the threat actor's control, which is clearly an espionage-supporting move. ----- **Setting Zimbra to forward victim's emails** _(CERT-UA)_ It is worth noting that Zimbra had [a similar XSS problem earlier this year, affecting the most](https://www.bleepingcomputer.com/news/security/zimbra-zero-day-vulnerability-actively-exploited-to-steal-emails/) recent 8.8.15 P29 & P30 versions of the suite. That flaw was actively exploited as a zero-day by Chinese threat actors who used it to steal the emails of European media and government organizations. As such, CERT-UA advises all organizations in Ukraine using Zimbra to update to the latest available versions of the suite immediately. ### Related Articles: [Microsoft finds severe bugs in Android apps from large mobile providers](https://www.bleepingcomputer.com/news/security/microsoft-finds-severe-bugs-in-android-apps-from-large-mobile-providers/) [Zyxel warns of flaws impacting firewalls, APs, and controllers](https://www.bleepingcomputer.com/news/security/zyxel-warns-of-flaws-impacting-firewalls-aps-and-controllers/) [Darknet market Versus shuts down after hacker leaks security flaw](https://www.bleepingcomputer.com/news/security/darknet-market-versus-shuts-down-after-hacker-leaks-security-flaw/) [Is 100% Cybersecurity Readiness Possible? Medical Device Pros Weigh In](https://www.bleepingcomputer.com/news/security/is-100-percent-cybersecurity-readiness-possible-medical-device-pros-weigh-in/) [Screencastify Chrome extension flaws allow webcam hijacks](https://www.bleepingcomputer.com/news/security/screencastify-chrome-extension-flaws-allow-webcam-hijacks/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) ----- Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. -----