[MART] - Daily Diary #493 - IcedID Campaign Targets Ukraine

CTAS-MAT ctas-mat at appgate.com
Mon Apr 18 22:15:56 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

04/18/2022 - Diary entry #493:

IcedID (aka BokBot), first spotted in late 2017 and covered by multiple of our Daily Diaries, is a threat used as an info stealer or as a dropper to deploy other malware such as Lockean, a Ransomware strain (covered on Daily Diary #383). The IcedID payloads are distributed using a botnet to send spear-phishing emails containing the dropper.

Recently, new campaigns were spotted targeting Ukrainian citizens. The first one has distributed Microsoft Excel macro-enabled documents used to deploy an IcedID info stealer payload. The second one exploits a vulnerability for a Zimbra cross-site scripting vulnerability tracked as CVE-2018-6882 to forward victims' emails to an email address under the threat actor's control. Zimbra is a cloud-hosted collaboration software and email platform used by organizations.

These recent campaigns reveal more cyber attacks targeting Ukraine in the middle of the military conflict with Russia. We have covered recently Wipers malware used against Ukrainian energy facilities. Now, threat groups are weaponizing Malware-As-A-Service like IcedID which can be used for cyber espionage purposes or to facilitate further attacks.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220418/203b0de7/attachment.htm>

More information about the MART mailing list