Skip to content

Zimbra Zero-Day Flaw: Cyber Threat Intelligence Roundup

Zimbra’s new zero-day flaw, a Ursnif malware variant focuses on ransomware and data theft, and a stealthy PowerShell backdoor disguises itself as a Windows update

Emerging Issue

This week, we provide the latest information on CVE-2022-41352, a remote code execution (RCE) bug which allows attackers to plant web shells and other arbitrary content within Zimbra’s Collaboration Suite (ZCS) servers.

We also highlight a new Ursnif variant which represents the latest culmination of the malware family’s evolution from a simple banking trojan to a threat capable of facilitating ransomware and data theft attacks.

Finally, we end with a summary of a PowerShell backdoor that disguises itself as part of a legitimate Windows update process.

1. 900 servers (and counting) hacked via Zimbra exploit

According to Kaspersky, a Zimbra exploit has resulted in the compromise of roughly 900 servers as a result of various cyber threat actors (including what industry experts have referred to as “advanced APTs”) scanning for and exploiting a critical vulnerability in the Zimbra Collaboration Suite (ZCS) – a flaw which existed as a zero-day with no patch for nearly 1.5 months.

The security bug, tracked as CVE-2022-41352, is an RCE vulnerability enabling threat actors to plant web shells within ZCS servers and bypass antivirus checks via a malicious archive attachment accompanying an email sent by the attacker.

The vulnerability was first reported on September 10, 2022, by a user on Zimbra’s official forums, who posted that their team had detected a security incident originating from a fully patched instance of Zimbra. Upon reviewing the details provided by the user, Zimbra was able to confirm that an unknown vulnerability did indeed allow attackers to upload arbitrary files to up-to-date ZCS servers. The issue is related to the method by which Zimbra’s antivirus engine — known as Amavis — scans inbound emails (with Amavis utilizing a function within Zimbra called cpio).

Zimbra’s Workaround for CVE-2022-41352

Zimbra’s temporary workaround for CVE-2022-41352 was to install the pax utility and restart the Zimbra services. Pax is installed by default on Ubuntu, thus Ubuntu-based Zimbra installations are reportedly not vulnerable.
For its part, Zimbra has acknowledged the risk of relying on cpio in a blog post in which the company provided recommended mitigations.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“While attribution of the unknown APT responsible for a large portion of these attacks has yet to be determined, CTI has previously observed similar, seemingly random attacks in which web shells were deployed against as many vulnerable servers as possible. In those instances, the vulnerabilities existed within Microsoft Exchange servers, the web shell involved was China Chopper, and the actor responsible was the China-linked HAFNIUM.”

“It remains to be seen what threat group — if any — is linked to this current wave of attacks on Zimbra servers, particularly those located in Central Asia, and whether this adversarial activity is part of a coordinated campaign. What is known is that the activity certainly bears resemblance to historic APT activity in both scale and intensity. As evidenced by multiple CISA advisories, this is not the first instance in which vulnerabilities within Zimbra’s ZCS solution have been the subject of intense interest from various APTs.”

2. New Ursnif malware variant shifts focus to ransomware and data theft

A recent report issued by Mandiant analyzes an apparent shift away from the original purpose and functionality of Ursnif malware.

Researchers have observed Ursnif evolve from a trojan designed to facilitate banking fraud to a more multipurpose malware capable of laying the ground for ransomware and data theft attacks. Ursnif has been changing for the past few years.

What is Ursnif and this new malware variant?

Ursnif (aka ISFB – more on that below) is one of the oldest and most successful banking malware families still active today over a decade after its emergence in the cyber threat landscape. The malware’s authors and contributors have produced multiple iterations over the years, and Ursnif is often intertwined with other malware families and variants. Its source code has been leaked at least two separate times since its first major appearance, resulting in additional versions which remain in circulation today.

At this point, Ursnif is not just considered a single malware, but a family of variants. Many researchers today refer to the malware family as Gozi/ISFB. These variants include:

  • ISFB: From the leaked source code of Gozi, and what many Ursnif variants are based on. Active prior to 2014.
  • Dreambot: Mandiant notes this to be one of the most successful variants. Active 2014-2020.
  • IAP: The most actively developed and distributed ISFB branch with frequent malware campaigns targeting Italy. Active 2014-current.
  • RM2: Also, widely known as GoziAT, RM2 started its activity years ago with the Chanitor malware (aka Hancitor). Active 2016-2021.
  • RM3: Due to its custom executable file format, it is the most sophisticated version to date, which has mostly impacted Oceania and UK since 2017. Active 2017-2021.
  • LDR4: The newest variant, and what marks the shift from banking fraud to ransomware. Active now.

LDR4 was first observed by Mandiant on June 23, 2022being delivered with the aid of a recruitment-related phishing lure. The email typically contains a link to a compromised website that redirects the user to a domain masquerading as a legitimate company. A CAPTCHA challenge downloads an Excel document presented to victims as a file related to the recruitment lure. The document then downloads and executes the LDR4 payload.

Unlike the previous Ursnif variant, the LDR4 variant no longer uses the custom PX executable format. Researchers believe this choice may have been made to avoid overcomplicating the troubleshooting phase, as malware developers would probably want to focus their efforts on the fine-tuning of the variant’s more important features. This new variant is also very clearly a backdoor, making Ursnif the latest in a long line of malware families to follow in the footsteps of Emotet and TrickBot when it comes to strategy pivots.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The fact that Ursnif or some variant of it remains relevant well over a decade after its initial emergence in the threat landscape clearly proves that its developers can keep up with the constantly shifting trends of the malware industry. The malware’s evolution from banking trojan to backdoor is a prime indicator of its attempts to keep up with the times.”

“However, it seems as though its developers did not take advantage of two prime opportunities: the disruption of Trickbot and Emotet at the hands of dedicated law enforcement task forces. Had Ursnif pivoted during a time when there was a bit of a power vacuum in the threat landscape, it could have experienced tremendous success, in the vein of malware likeIcedID. Nonetheless, given the historical sophistication and significant degree of success that Ursnif has experienced, researchers believe this new variant could still be just as dangerous.”

3. Experts warn of stealthy PowerShell backdoor disguising as Windows update

Recent reporting by SafeBreach Labs uncovers what many outlets are touting as a new, “fully undetectable” PowerShell backdoor. This is more than a bit idiosyncratic, given that the backdoor was in fact detected, as evidenced by the various researchers reporting its existence. The previously undocumented backdoor is able to achieve its significant level of stealth by disguising itself as part of a legitimate Windows update process.

About the PowerShell backdoor

The malware itself primarily engages in data exfiltration activities on compromised hosts. The attack observed by SafeBreach Labs began with a malicious Word document that included macro code to launch the PowerShell script. The Word document was titled “Apply Form.docm” and was uploaded from an IP address in Jordan on August 25, 2022. It’s believed that this file is related to a LinkedIn-based job application spear-phishing lure, which we’ve seen a lot of recently. It’s worth noting that macros would have to be enabled within the document for this initial entry point to be successful.

The macro dropper — updater.vbs — creates a scheduled task that pretends to be part of a regular Windows update. The script will execute from a fake update folder under %appdata%\local\Microsoft\Windows and executes a PowerShell script.

Threat actor mistake leads to discovery

SafeBreach Labs noted that the threat actor(s) behind the backdoor made a crucial mistake by using predictable sequential victim IDs. Researchers were able to develop a script that pretended to be various compromised victims and recorded the C2 responses in a packet capture file (pcap). They then ran a second tool to extract the encrypted commands from that pcap. This output was piped into CyberChef to decrypt the command for each victim ID/number.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This is only the most recent example of a malicious use of PowerShell script. Earlier this month, we reported on a rare “mouseover” technique for malware delivery. This entire episode should serve as a reminder to both cybercriminals and legitimate developers alike that a seemingly minor error — or feature, as it seems in this case — can have catastrophic results. Regardless, even though the threat actor(s) behind this PowerShell backdoor made a simple mistake in its development that led to its discovery, the backdoor is a sophisticated effort.”

“The malware’s ability to masquerade as part of the Windows update process as well, as its use of social engineering via LinkedIn, indicates a certain level of competency. This activity is also a great reminder that a threat does not need to be all over the news and have a fancy name to make it successful, as this unnamed backdoor already has 60+ victims.”

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.

Tanium CTI

Tanium's Cyber Threat Intelligence (CTI) analysts process and extract trends from the daily cyber landscape to curate and deliver current intel to stakeholders around threats impacting business and security.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.