Mass distribution campaign targeting Zimbra users

esteria.white

ESET Research

ESET researchers have observed a new phishing campaign targeting users of the Zimbra Collaboration email server.

Mass distribution campaign targeting Zimbra users

ESET researchers discovered a large-scale phishing campaign, aimed at harvesting Zimbra account user credentials, active since at least April 2023 and still ongoing. The Zimbra collaboration is a open core collaborative software platform, a popular alternative to enterprise email solutions. The campaign spreads on a large scale; its targets are a variety of small and medium-sized businesses and government entities.

According to ESET telemetry, the largest number of targets are in Poland, followed by Ecuador and Italy. Target organizations vary: adversaries are not focused on a specific vertical, with the only thing connecting victims being that they use Zimbra. To date, we have not attributed this campaign to any known threat actors.

Country affected by the campaign

Figure 1. Countries hit by the campaign, according to ESET telemetry

First, the target receives an email containing a phishing page in the attached HTML file. As shown in Figures 2, 3, and 4, the email notifies the target of an email server update, account deactivation, or similar issue and asks the user to click on the attached file. The adversary also usurps the From: email field to appear as an administrator of the mail server.

Zimbra Warning

Figure 2. Lure warning via email in Polish about deactivation of target’s Zimbra account

Translated lure email

Figure 3. Automatic translation of decoy email, initially into Polish

Email lure in Italian

Figure 4. Email lure in Italian; the meaning is the same as in figure 3

After opening the attachment, the user is presented with a fake Zimbra login page customized based on the targeted organization, as shown in Figure 5. The HTML file is opened in the victim’s browser, which could make the victim believe that they were directed to the legitimate login page, even if the URL points to a local file path. Note that the username The field is pre-populated in the login form, making it more legitimate.

Fake connection

Figure 5. Fake Zimbra login page

In Figure 6, we provide an example of a legitimate Zimbra webmail login page for comparison.

Legitimate connection

Figure 6. Legit Zimbra Login Page Example

In the background, the submitted credentials are collected from the HTML form and sent via HTTPS POST request to an adversary-controlled server (Figure 7). Destination URLs for POST requests use the following pattern: https:///wp-admin/ZimbraNew.php

Code snippet

Figure 7. Code snippet responsible for POST request exfiltrating target credentials

Interestingly, on several occasions we observed subsequent waves of phishing emails sent from Zimbra accounts of previously targeted legitimate companies, such as donotreply(redacted)@(redacted).com. It is likely that the attackers managed to compromise the victim’s administrator accounts and create new mailboxes which were then used to send phishing emails to other targets. One explanation is that the adversary relies on password reuse by the phished administrator, that is, they use the same credentials for email and administration. The available data do not allow us to confirm this hypothesis.

The campaign observed by ESET relies solely on social engineering and user interaction; however, this is not always the case. During a previous campaign described by Proofpoint in March 2023the APT Winter Vivern group (aka TA473) operated the CVE-2022-27926 vulnerability, targeting webmail portals of military, government and diplomatic entities of European countries. In another example, reported by Volexity in February 2022a group called TEMP_Heretic exfiltrated European government and media emails by abusing another vulnerability (CVE-2022-24682) in the Zimbra Collaboration Calendar feature. In the most recent mention, EclecticIQ Researchers analyzed a campaign similar to the one described in our blog post. The main difference is that the HTML link leading to the fake Zimbra login page is located directly in the body of the email.

Conclusion

Although this campaign is not as technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration, which remains an attractive target for adversaries. Adversaries exploit the fact that HTML attachments contain legitimate code and the only revealing element is a link pointing to the malicious host. This way, it is much easier to bypass reputation-based spam policies, compared to phishing techniques where a malicious link is directly placed in the body of the email. Zimbra Collaboration’s popularity among organizations expected to have lower IT budgets ensures that it remains an attractive target for adversaries.

For any inquiries about our research published on WeLiveSecurity, please contact us at menaceintel@eset.com.
ESET Research offers intelligence reports and private APT data feeds. For any inquiries about this service, visit ESET Threat Intelligence page.

CIO

ESET detection names

HTML/Phishing.Gen

Files

We cannot share file IoCs because the samples contain sensitive information.

Network

The hosts used to exfiltrate the collected credentials are hosted on shared servers. Detections based solely on IP addresses could lead to false positives.

IP

Domain

Hosting Provider

Seen the first time

Details

145.14.144(.)174

fmaildd.000webhostapp(.)com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145(.)248

nmailddt.000webhostapp(.)com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145(.)122

tmaxd.000webhostapp(.)com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.144(.)58

posderd.000webhostapp(.)com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145(.)94

ridddtd.000webhostapp(.)com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

145.14.145(.)36

mtatdd.000webhostapp(.)com

Hostinger International Ltd, NL

2019-12-31

Malicious host used to exfiltrate harvested credentials.

173.44.236(.)125

zimbra.y2kportfolio(.)with

Eonix Corporation, United States

2022-05-27

Malicious host used to exfiltrate harvested credentials.

URL

https://fmaildd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://mtatdd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://nmailddt.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://posderd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://ridddtd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://tmaxd.000webhostapp(.)com/wp-admin/ZimbraNew.php
https://zimbra.y2kportfolio(.)com/wp/wp-admin/ZimbraNew.php

MIBT&CK ATTACK

This table was constructed using version 13 of the MITER ATT&CK framework.

Tactical

IDENTIFIER

Name

Description

Resource development

T1586.002

Compromised Accounts: Email Accounts

The adversary used previously compromised email accounts to distribute their campaign.

T1585.002

Create accounts: email accounts

The adversary created new email accounts to facilitate the campaign.

Initial access

T1566.001

Phishing: spearphishing attachment

The campaign was spread by malicious HTML files in email attachments.

Execution

T1204.002

User execution: malicious file

A successful attack relies on the victim clicking on a malicious file in the attachment.

Persistence

T1136

Create an account

The adversary created new email accounts on the compromised Zimbra instances to further spread the phishing campaign.

Collection

T1056.003

Input Capture: Web Portal Capture

The adversary captured the credentials inserted into a fake login page.

Exfiltration

T1048.002

Exfiltration via an alternative protocol: Exfiltration via an asymmetrically encrypted non-C2 protocol

The adversary exfiltrated the passwords through POST requests sent over the HTTPS protocol.

Leave a comment