ESET researchers uncovered a mass-spreading phishing campaign targeting users of Zimbra Collaboration, active since at least April 2023 and continuing. The attackers deploy HTML attachment-based lures with a fake Zimbra login page to harvest credentials and exfiltrate them over HTTPS to attacker-controlled servers. #Zimbra #ZimbraNewPhp #WinterVivern #TA473 #CVE-2022-27926
Keypoints
- The campaign targets a broad set of small to medium businesses and government entities using Zimbra; Poland is the top location, followed by Ecuador and Italy.
- Attackers rely on mass distribution via phishing emails with attached HTML files that display a warning about a server issue or account deactivation.
- Email From fields are spoofed to appear as a Zimbra/enterprise administrator to increase legitimacy.
- After opening the attachment, victims see a fake Zimbra login page with a prefilled Username to appear authentic.
- Credentials are sent via HTTPS POST to attacker-controlled endpoints (ZimbraNew.php on compromised hosts).
- In some waves, attackers reused compromised administrator accounts to send additional phishing emails to other targets.
- The campaign is presented as relatively simple technically, but remains effective due to social engineering and Zimbraβs popularity among budget-conscious organizations.
MITRE Techniques
- [T1586.002] Compromise Accounts: Email Accounts β The adversary used previously compromised email accounts for campaign spreading. Quote: βThe adversary used previously compromised email accounts for campaign spreading.β
- [T1585.002] Establish Accounts: Email Accounts β The adversary created new email accounts to facilitate the campaign. Quote: βThe adversary created new email accounts to facilitate the campaign.β
- [T1566.001] Phishing: Spearphishing Attachment β The campaign was spread by malicious HTML files in email attachments. Quote: βThe campaign was spread by malicious HTML files in email attachments.β
- [T1204.002] User Execution: Malicious File β A successful attack relies on the victim clicking on a malicious file in the attachment. Quote: βA successful attack relies on the victim clicking on a malicious file in the attachment.β
- [T1136] Create Account β The adversary created new email accounts on compromised Zimbra instances for further spreading of the phishing campaign. Quote: βThe adversary created new email accounts on compromised Zimbra instances for further spreading of the phishing campaign.β
- [T1056.003] Input Capture: Web Portal Capture β The adversary captured credentials inserted to a fake login page. Quote: βThe adversary captured credentials inserted to a fake login page.β
- [T1048.002] Exfiltration: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol β The adversary exfiltrated passwords by POST requests sent over the HTTPS protocol. Quote: βThe adversary exfiltrated passwords by POST requests sent over the HTTPS protocol.β
Indicators of Compromise
- [IP] 145.14.144.174, 173.44.236.125 β Malicious hosts used to exfiltrate harvested credentials.
- [Domain] fmaildd.000webhostapp[.]com, nmailddt.000webhostapp[.]com β Malicious hosts used to exfiltrate harvested credentials.
- [Domain] zimbra.y2kportfolio[.]com β Malicious host used to exfiltrate harvested credentials.
- [Hosting provider] Hostinger International Ltd, NL β First seen 2019-12-31; Malicious host used to exfiltrate harvested credentials.
- [Hosting provider] Eonix Corporation, US β First seen 2022-05-27; Malicious host used to exfiltrate harvested credentials.
- [URL] https://fmaildd.000webhostapp[.]com/wp-admin/ZimbraNew.php, https://mtatdd.000webhostapp[.]com/wp-admin/ZimbraNew.php β Endpoints used for credential submission.
- [URL] https://nmailddt.000webhostapp[.]com/wp-admin/ZimbraNew.php, https://ridddtd.000webhostapp[.]com/wp-admin/ZimbraNew.php β Endpoints used for credential submission.
Read more: https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/