ESET Research
ESET researchers have observed a new phishing campaign targeting users of the Zimbra Collaboration email server.
August 17, 2023
•
,
5 minutes. read
ESET researchers discovered a large-scale phishing campaign, aimed at harvesting Zimbra account user credentials, active since at least April 2023 and still ongoing. The Zimbra collaboration is a open core collaborative software platform, a popular alternative to enterprise email solutions. The campaign spreads on a large scale; its targets are a variety of small and medium-sized businesses and government entities.
According to ESET telemetry, the largest number of targets are in Poland, followed by Ecuador and Italy. Target organizations vary: adversaries are not focused on a specific vertical, with the only thing connecting victims being that they use Zimbra. To date, we have not attributed this campaign to any known threat actors.
Figure 1. Countries hit by the campaign, according to ESET telemetry
First, the target receives an email containing a phishing page in the attached HTML file. As shown in Figures 2, 3, and 4, the email notifies the target of an email server update, account deactivation, or similar issue and asks the user to click on the attached file. The adversary also usurps the From: email field to appear as an administrator of the mail server.
Figure 2. Lure warning via email in Polish about deactivation of target’s Zimbra account
Figure 3. Automatic translation of decoy email, initially into Polish
Figure 4. Email lure in Italian; the meaning is the same as in figure 3
After opening the attachment, the user is presented with a fake Zimbra login page customized based on the targeted organization, as shown in Figure 5. The HTML file is opened in the victim’s browser, which could make the victim believe that they were directed to the legitimate login page, even if the URL points to a local file path. Note that the username The field is pre-populated in the login form, making it more legitimate.
In Figure 6, we provide an example of a legitimate Zimbra webmail login page for comparison.
In the background, the submitted credentials are collected from the HTML form and sent via HTTPS POST request to an adversary-controlled server (Figure 7). Destination URLs for POST requests use the following pattern: https://
Figure 7. Code snippet responsible for POST request exfiltrating target credentials
Interestingly, on several occasions we observed subsequent waves of phishing emails sent from Zimbra accounts of previously targeted legitimate companies, such as donotreply(redacted)@(redacted).com. It is likely that the attackers managed to compromise the victim’s administrator accounts and create new mailboxes which were then used to send phishing emails to other targets. One explanation is that the adversary relies on password reuse by the phished administrator, that is, they use the same credentials for email and administration. The available data do not allow us to confirm this hypothesis.
The campaign observed by ESET relies solely on social engineering and user interaction; however, this is not always the case. During a previous campaign described by Proofpoint in March 2023the APT Winter Vivern group (aka TA473) operated the CVE-2022-27926 vulnerability, targeting webmail portals of military, government and diplomatic entities of European countries. In another example, reported by Volexity in February 2022a group called TEMP_Heretic exfiltrated European government and media emails by abusing another vulnerability (CVE-2022-24682) in the Zimbra Collaboration Calendar feature. In the most recent mention, EclecticIQ Researchers analyzed a campaign similar to the one described in our blog post. The main difference is that the HTML link leading to the fake Zimbra login page is located directly in the body of the email.
Conclusion
Although this campaign is not as technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration, which remains an attractive target for adversaries. Adversaries exploit the fact that HTML attachments contain legitimate code and the only revealing element is a link pointing to the malicious host. This way, it is much easier to bypass reputation-based spam policies, compared to phishing techniques where a malicious link is directly placed in the body of the email. Zimbra Collaboration’s popularity among organizations expected to have lower IT budgets ensures that it remains an attractive target for adversaries.
For any inquiries about our research published on WeLiveSecurity, please contact us at menaceintel@eset.com.
ESET Research offers intelligence reports and private APT data feeds. For any inquiries about this service, visit ESET Threat Intelligence page.
CIO
ESET detection names
HTML/Phishing.Gen
Files
We cannot share file IoCs because the samples contain sensitive information.
Network
The hosts used to exfiltrate the collected credentials are hosted on shared servers. Detections based solely on IP addresses could lead to false positives.
|
IP |
Domain |
Hosting Provider |
Seen the first time |
Details |
|
145.14.144(.)174 |
fmaildd.000webhostapp(.)com |
Hostinger International Ltd, NL |
2019-12-31 |
Malicious host used to exfiltrate harvested credentials. |
|
145.14.145(.)248 |
nmailddt.000webhostapp(.)com |
Hostinger International Ltd, NL |
2019-12-31 |
Malicious host used to exfiltrate harvested credentials. |
|
145.14.145(.)122 |
tmaxd.000webhostapp(.)com |
Hostinger International Ltd, NL |
2019-12-31 |
Malicious host used to exfiltrate harvested credentials. |
|
145.14.144(.)58 |
posderd.000webhostapp(.)com |
Hostinger International Ltd, NL |
2019-12-31 |
Malicious host used to exfiltrate harvested credentials. |
|
145.14.145(.)94 |
ridddtd.000webhostapp(.)com |
Hostinger International Ltd, NL |
2019-12-31 |
Malicious host used to exfiltrate harvested credentials. |
|
145.14.145(.)36 |
mtatdd.000webhostapp(.)com |
Hostinger International Ltd, NL |
2019-12-31 |
Malicious host used to exfiltrate harvested credentials. |
|
173.44.236(.)125 |
zimbra.y2kportfolio(.)with |
Eonix Corporation, United States |
2022-05-27 |
Malicious host used to exfiltrate harvested credentials. |
URL
https://fmaildd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://mtatdd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://nmailddt.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://posderd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://ridddtd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://tmaxd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://zimbra.y2kportfolio(.)com/wp/wp-admin/ZimbraNew.php
MIBT&CK ATTACK
This table was constructed using version 13 of the MITER ATT&CK framework.
|
Tactical |
IDENTIFIER |
Name |
Description |
|
Resource development |
Compromised Accounts: Email Accounts |
The adversary used previously compromised email accounts to distribute their campaign. |
|
|
Create accounts: email accounts |
The adversary created new email accounts to facilitate the campaign. |
||
|
Initial access |
Phishing: spearphishing attachment |
The campaign was spread by malicious HTML files in email attachments. |
|
|
Execution |
User execution: malicious file |
A successful attack relies on the victim clicking on a malicious file in the attachment. |
|
|
Persistence |
Create an account |
The adversary created new email accounts on the compromised Zimbra instances to further spread the phishing campaign. |
|
|
Collection |
Input Capture: Web Portal Capture |
The adversary captured the credentials inserted into a fake login page. |
|
|
Exfiltration |
Exfiltration via an alternative protocol: Exfiltration via an asymmetrically encrypted non-C2 protocol |
The adversary exfiltrated the passwords through POST requests sent over the HTTPS protocol. |
