www.welivesecurity.com Open in urlscan Pro
2a02:26f0:780::210:ca08  Public Scan

Form analysis
3 forms found in the DOM

GET https://www.welivesecurity.com/en/search

<form data-v-ed6a42ae="" id="searchform" method="get" action="https://www.welivesecurity.com/en/search" autocomplete="off" role="search">
  <div data-v-ed6a42ae="" class="search-area"><input data-v-ed6a42ae="" name="term" class="searchbar-input form-control" type="text"
      placeholder="Search WeLiveSecurity"><a data-v-ed6a42ae="" class="search-icon-trigger"><span data-v-ed6a42ae="" class="search-icon"></span></a><!----><!----></div><!---->
</form>

GET https://www.welivesecurity.com/en/search

<form data-v-ed6a42ae="" id="searchform" method="get" action="https://www.welivesecurity.com/en/search" autocomplete="off" role="search">
  <div data-v-ed6a42ae="" class="search-area"><input data-v-ed6a42ae="" name="term" class="searchbar-input form-control" type="text"
      placeholder="Search WeLiveSecurity"><a data-v-ed6a42ae="" class="search-icon-trigger"><span data-v-ed6a42ae="" class="search-icon"></span></a><!----><!----></div><!---->
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter px-0" target="_blank" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Your Email Address" required="">
    <input type="checkbox" id="TOPIC" name="TOPIC" value="We Live Security Ukraine Newsletter">
    <label for="TOPIC">Ukraine Crisis newsletter</label>
    <input type="checkbox" id="NEWSLETTER" name="NEWSLETTER" value="We Live Security">
    <label for="NEWSLETTER">Regular weekly newsletter</label>
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="0">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button type="submit" class="redirect-button primary">Subscribe</button>
  </div>
</form>

Text Content

Award-winning news, views, and insight from the ESET security community

English
Español
Deutsch
Português
Français

 * 
 * TIPS & ADVICE

   --------------------------------------------------------------------------------

 * BUSINESS SECURITY

   --------------------------------------------------------------------------------

 * ESET RESEARCH
   About ESET ResearchBlogpostsPodcastsWhite papersThreat reports

   --------------------------------------------------------------------------------

 * FEATURED
   Ukraine crisis – Digital security resource centerWe Live
   ProgressCOVID-19ResourcesVideos

   --------------------------------------------------------------------------------

 * TOPICS
   Digital SecurityScamsHow toPrivacyCybercrimeKids onlineSocial mediaInternet
   of ThingsMalwareRansomwareSecure codingMobile securityCritical
   infrastructureThreat research

   --------------------------------------------------------------------------------

 * ABOUT US
   About WeLiveSecurityOur ExpertsContact Us

   --------------------------------------------------------------------------------

 * English
   EspañolDeutschPortuguêsFrançais
 * 



Award-winning news, views, and insight from the ESET security community

ESET Research


MASS-SPREADING CAMPAIGN TARGETING ZIMBRA USERS

ESET researchers have observed a new phishing campaign targeting users of the
Zimbra Collaboration email server.

Viktor Šperka

17 Aug 2023  •  , 5 min. read



ESET researchers have uncovered a mass-spreading phishing campaign, aimed at
collecting Zimbra account users’ credentials, active since at least April 2023
and still ongoing. Zimbra Collaboration is an open-core collaborative software
platform, a popular alternative to enterprise email solutions. The campaign is
mass-spreading; its targets are a variety of small and medium businesses and
governmental entities.

According to ESET telemetry, the greatest number of targets are located in
Poland, followed by Ecuador and Italy. Target organizations vary: adversaries do
not focus on any specific vertical with the only thing connecting victims being
that they are using Zimbra. To date, we have not attributed this campaign to any
known threat actors.

Figure 1. Countries hit by the campaign, according to ESET telemetry

Initially, the target receives an email with a phishing page in the attached
HTML file. As shown in Figure 2, Figure 3 and Figure 4, the email warns the
target about an email server update, account deactivation, or similar issue and
directs the user to click on the attached file. The adversary also spoofs the
From: field of the email to appear to be an email server administrator.

Figure 2. Lure email warning in Polish about deactivation of the target’s Zimbra
account

Figure 3. Machine translation of lure email, originally in Polish

Figure 4. Lure email in Italian; meaning is the same as in Figure 3

After opening the attachment, the user is presented with a fake Zimbra login
page customized according to the targeted organization, as shown in Figure 5.
The HTML file is opened in the victim’s browser, which might trick the victim
into believing they were directed to the legitimate login page, even though the
URL points to a local file path. Note that the Username field is prefilled in
the login form, which makes it appear more legitimate.

Figure 5. Fake Zimbra login page

In Figure 6 we are providing an example of legitimate Zimbra webmail login page
for the comparison. 

Figure 6. Example of a legitimate Zimbra login page

In the background, the submitted credentials are collected from the HTML form
and sent by HTTPS POST request to a server controlled by the adversary (Figure
7). The POST request destination URLs use the following pattern:
https://<SERVER_ADDRESS>/wp-admin/ZimbraNew.php

Figure 7. Code snippet responsible for the POST request exfiltrating targets’
credentials

Interestingly, on several occasions we observed subsequent waves of phishing
emails sent from Zimbra accounts of previously targeted, legitimate companies,
such as donotreply[redacted]@[redacted].com. It is likely that the attackers
were able to compromise the victim’s administrator accounts and created new
mailboxes that were then used to send phishing emails to other targets. One
explanation is that the adversary relies on password reuse by the administrator
targeted through phishing – i.e., using the same credentials for both email and
administration. From available data we are not able to confirm this hypothesis.

The campaign observed by ESET relies only on social engineering and user
interaction; however, this may not always be the case. In a previous campaign
described by Proofpoint in March 2023, the APT group Winter Vivern (aka TA473)
had been exploiting the CVE-2022-27926 vulnerability, targeting webmail portals
of military, government, and diplomatic entities of European countries. In
another example, reported by Volexity in February 2022, a group named
TEMP_Heretic exfiltrated emails of European government and media organizations
by abusing another vulnerability (CVE-2022-24682) in the Calendar feature in
Zimbra Collaboration. In the most recent mention, EclecticIQ researchers
analyzed a campaign similar to the one described in our blogpost. The main
difference is that the HTML link leading to the fake Zimbra login page is
located directly in the email body.


CONCLUSION

Despite this campaign not being so technically sophisticated, it is still able
to spread and successfully compromise organizations that use Zimbra
Collaboration, which remains an attractive target for adversaries. Adversaries
leverage the fact that HTML attachments contain legitimate code, and the only
telltale element is a link pointing to the malicious host. This way, it is much
easier to circumvent reputation-based antispam policies, compared to phishing
techniques where a malicious link is directly placed in the email body. The
popularity of Zimbra Collaboration among organizations expected to have lower IT
budgets ensures that it stays an attractive target for adversaries.

> For any inquiries about our research published on WeLiveSecurity, please
> contact us at threatintel@eset.com.
> ESET Research offers private APT intelligence reports and data feeds. For any
> inquiries about this service, visit the ESET Threat Intelligence page.


IOCS


ESET DETECTION NAMES

HTML/Phishing.Gen


FILES

We are unable to share file IoCs because samples contain sensitive information.


NETWORK

Hosts used to exfiltrate harvested credentials are hosted on shared servers.
Detections based solely on IP addresses could lead to false positives.





IP

Domain

Hosting provider

First seen

Details

145.14.144[.]174

fmaildd.000webhostapp[.]com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145[.]248

nmailddt.000webhostapp[.]com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145[.]122

tmaxd.000webhostapp[.]com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.144[.]58

posderd.000webhostapp[.]com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145[.]94

ridddtd.000webhostapp[.]com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145[.]36

mtatdd.000webhostapp[.]com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

173.44.236[.]125

zimbra.y2kportfolio[.]com

Eonix Corporation, US

2022-05-27

Malicious host used to exfiltrate harvested credentials.



URLs

https://fmaildd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://mtatdd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://nmailddt.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://posderd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://ridddtd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://tmaxd.000webhostapp[.]com/wp-admin/ZimbraNew.php
https://zimbra.y2kportfolio[.]com/wp/wp-admin/ZimbraNew.php


MITRE ATT&CK

This table was built using version 13 of the MITRE ATT&CK framework.





Tactic

ID

Name

Description

Resource Development

T1586.002

Compromise Accounts: Email Accounts

The adversary used previously compromised email accounts for campaign spreading.

T1585.002

Establish Accounts: Email Accounts

The adversary created new email accounts to facilitate the campaign. 

Initial Access

T1566.001

Phishing: Spearphishing Attachment

The campaign was spread by malicious HTML files in email attachments.

Execution

T1204.002

User Execution: Malicious File

A successful attack relies on the victim clicking on a malicious file in the
attachment.

Persistence

T1136

Create Account

The adversary created new email accounts on compromised Zimbra instances for
further spreading of the phishing campaign.

Collection

T1056.003

Input Capture: Web Portal Capture

The adversary captured credentials inserted to a fake login page.

Exfiltration

T1048.002

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted
Non-C2 Protocol

The adversary exfiltrated passwords by POST requests sent over the HTTPS
protocol.





--------------------------------------------------------------------------------


LET US KEEP YOU
UP TO DATE

Sign up for our newsletters

Ukraine Crisis newsletter Regular weekly newsletter Subscribe

RELATED ARTICLES

--------------------------------------------------------------------------------

ESET Research

ESET Research Podcast: Sextortion, digital usury and SQL brute-force



ESET Research

ESET Research Podcast: Sextortion, digital usury and SQL brute-force

--------------------------------------------------------------------------------

ESET Research

Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor



ESET Research

Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor

--------------------------------------------------------------------------------

ESET Research

BadBazaar espionage tool targets Android users via trojanized Signal and
Telegram apps



ESET Research

BadBazaar espionage tool targets Android users via trojanized Signal and
Telegram apps


SHARE ARTICLE





DISCUSSION



Award-winning news, views, and insight from the ESET security community

About us ESET Contact us Privacy Policy Legal Information Manage Cookies RSS
Feed

Copyright © ESET, All Rights Reserved
Your account, your cookies choice
We and our partners use cookies to give you the best optimized online
experience, analyze our website traffic, and serve you with personalized ads.
You can agree to the collection of all cookies by clicking "Accept all and
close" or adjust your cookie settings by clicking "Manage cookies". You also
have the right to withdraw your consent to cookies anytime. For more
information, please see our Cookie Policy.
Accept all and close
Manage cookies
Essential cookies
These first-party cookies are necessary for the functioning and security of our
website and the services you require. They are usually set in response to your
actions to enable the use of certain functionality, such as remembering your
cookie preferences, logging in, or holding items in your cart. You can´t opt out
of these cookies, and blocking them via a browser may affect site functionality.
Basic Analytical Cookies
These first-party cookies enable us to measure the number of visitors/users of
our website and create aggregated usage and performance statistics with the help
of our trusted partners. We use them to get the basic insight into our website
traffic and our campaign performance and to solve bugs on our website.
Advanced Analytical Cookies
These first or third-party cookies help us understand how you interact with our
website and each offered service by enriching our datasets with data from
third-party tools. We use these cookies to improve our website, services, and
user experience, find and solve bugs or other problems with them, and evaluate
our campaigns´ effectiveness.
Marketing cookies
These third-party cookies allow our marketing partners to track some of your
activities on our website (for example, when you download or buy our product) to
learn about your interests and needs and to show you more relevant targeted ads.
Accept and close
Back