Mass-spreading marketing campaign concentrating on Zimbra customers

ESET Analysis

ESET researchers have noticed a brand new phishing marketing campaign concentrating on customers of the Zimbra Collaboration electronic mail server.

17 Aug 2023
 • 
,
5 min. learn

ESET researchers have uncovered a mass-spreading phishing marketing campaign, geared toward accumulating Zimbra account customers’ credentials, energetic since at the very least April 2023 and nonetheless ongoing. Zimbra Collaboration is an open-core collaborative software program platform, a well-liked different to enterprise electronic mail options. The marketing campaign is mass-spreading; its targets are quite a lot of small and medium companies and governmental entities.

In response to ESET telemetry, the best variety of targets are situated in Poland, adopted by Ecuador and Italy. Goal organizations range: adversaries don’t give attention to any particular vertical with the one factor connecting victims being that they’re utilizing Zimbra. Up to now, we have now not attributed this marketing campaign to any identified risk actors.

Initially, the goal receives an electronic mail with a phishing web page within the connected HTML file. As proven in Determine 2, Determine 3 and Determine 4, the e-mail warns the goal about an electronic mail server replace, account deactivation, or comparable challenge and directs the consumer to click on on the connected file. The adversary additionally spoofs the From: area of the e-mail to seem like an electronic mail server administrator.

Within the background, the submitted credentials are collected from the HTML kind and despatched by HTTPS POST request to a server managed by the adversary (Determine 7). The POST request vacation spot URLs use the next sample: https://<SERVER_ADDRESS>/wp-admin/ZimbraNew.php

Curiously, on a number of events we noticed subsequent waves of phishing emails despatched from Zimbra accounts of beforehand focused, respectable corporations, corresponding to donotreply[redacted]@[redacted].com. It’s probably that the attackers had been capable of compromise the sufferer’s administrator accounts and created new mailboxes that had been then used to ship phishing emails to different targets. One rationalization is that the adversary depends on password reuse by the administrator focused by phishing – i.e., utilizing the identical credentials for each electronic mail and administration. From out there knowledge we’re not capable of affirm this speculation.

The marketing campaign noticed by ESET depends solely on social engineering and consumer interplay; nevertheless, this will likely not at all times be the case. In a earlier marketing campaign described by Proofpoint in March 2023, the APT group Winter Vivern (aka TA473) had been exploiting the CVE-2022-27926 vulnerability, concentrating on webmail portals of navy, authorities, and diplomatic entities of European international locations. In one other instance, reported by Volexity in February 2022, a bunch named TEMP_Heretic exfiltrated emails of European authorities and media organizations by abusing one other vulnerability (CVE-2022-24682) within the Calendar function in Zimbra Collaboration. In the latest point out, EclecticIQ researchers analyzed a marketing campaign just like the one described in our blogpost. The primary distinction is that the HTML hyperlink resulting in the pretend Zimbra login web page is situated immediately within the electronic mail physique.

Conclusion

Regardless of this marketing campaign not being so technically subtle, it’s nonetheless capable of unfold and efficiently compromise organizations that use Zimbra Collaboration, which stays a lovely goal for adversaries. Adversaries leverage the truth that HTML attachments include respectable code, and the one telltale component is a hyperlink pointing to the malicious host. This manner, it’s a lot simpler to bypass reputation-based antispam insurance policies, in comparison with phishing strategies the place a malicious hyperlink is immediately positioned within the electronic mail physique. The recognition of Zimbra Collaboration amongst organizations anticipated to have decrease IT budgets ensures that it stays a lovely goal for adversaries.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis provides non-public APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IOCs

ESET detection names

HTML/Phishing.Gen

Recordsdata

We’re unable to share file IoCs as a result of samples include delicate info.

Community

Hosts used to exfiltrate harvested credentials are hosted on shared servers. Detections based mostly solely on IP addresses may result in false positives.

URLs

https://fmaildd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://mtatdd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://nmailddt.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://posderd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://ridddtd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://tmaxd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://zimbra.y2kportfolio[.]com/wp/wp-admin/ZimbraNew.php

MITRE ATT&CK

This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.