Mass-spreading marketing campaign concentrating on Zimbra customers

ESET Analysis

ESET researchers have noticed a brand new phishing marketing campaign concentrating on customers of the Zimbra Collaboration e mail server.

Mass-spreading campaign targeting Zimbra users

ESET researchers have uncovered a mass-spreading phishing marketing campaign, aimed toward accumulating Zimbra account customers’ credentials, lively since at the very least April 2023 and nonetheless ongoing. Zimbra Collaboration is an open-core collaborative software program platform, a preferred different to enterprise e mail options. The marketing campaign is mass-spreading; its targets are a wide range of small and medium companies and governmental entities.

In keeping with ESET telemetry, the best variety of targets are positioned in Poland, adopted by Ecuador and Italy. Goal organizations differ: adversaries don’t concentrate on any particular vertical with the one factor connecting victims being that they’re utilizing Zimbra. So far, we now have not attributed this marketing campaign to any recognized risk actors.

Countried hit by the campaign

Determine 1. Nations hit by the marketing campaign, in keeping with ESET telemetry

Initially, the goal receives an e mail with a phishing web page within the hooked up HTML file. As proven in Determine 2, Determine 3 and Determine 4, the e-mail warns the goal about an e mail server replace, account deactivation, or related challenge and directs the consumer to click on on the hooked up file. The adversary additionally spoofs the From: discipline of the e-mail to seem like an e mail server administrator.

Zimbra warning

Determine 2. Lure e mail warning in Polish about deactivation of the goal’s Zimbra account

Translated lure email

Determine 3. Machine translation of lure e mail, initially in Polish

Lure email in italian

Determine 4. Lure e mail in Italian; that means is similar as in Determine 3

After opening the attachment, the consumer is offered with a pretend Zimbra login web page personalized in keeping with the focused group, as proven in Determine 5. The HTML file is opened within the sufferer’s browser, which could trick the sufferer into believing they have been directed to the authentic login web page, though the URL factors to an area file path. Be aware that the Username discipline is prefilled within the login type, which makes it seem extra authentic.

Fake login

Determine 5. Faux Zimbra login web page

In Determine 6 we’re offering an instance of authentic Zimbra webmail login web page for the comparability.

Legitimate login

Determine 6. Instance of a authentic Zimbra login web page

Within the background, the submitted credentials are collected from the HTML type and despatched by HTTPS POST request to a server managed by the adversary (Determine 7). The POST request vacation spot URLs use the next sample: https:///wp-admin/ZimbraNew.php

Code snippet

Determine 7. Code snippet accountable for the POST request exfiltrating targets’ credentials

Curiously, on a number of events we noticed subsequent waves of phishing emails despatched from Zimbra accounts of beforehand focused, authentic firms, similar to donotreply[redacted]@[redacted].com. It’s probably that the attackers have been in a position to compromise the sufferer’s administrator accounts and created new mailboxes that have been then used to ship phishing emails to different targets. One clarification is that the adversary depends on password reuse by the administrator focused by way of phishing – i.e., utilizing the identical credentials for each e mail and administration. From obtainable information we aren’t in a position to affirm this speculation.

The marketing campaign noticed by ESET depends solely on social engineering and consumer interplay; nonetheless, this will likely not at all times be the case. In a earlier marketing campaign described by Proofpoint in March 2023the APT group Winter Vivern (aka TA473) had been exploiting the CVE-2022-27926 vulnerability, concentrating on webmail portals of army, authorities, and diplomatic entities of European nations. In one other instance, reported by Volexity in February 2022a gaggle named TEMP_Heretic exfiltrated emails of European authorities and media organizations by abusing one other vulnerability (CVE-2022-24682) within the Calendar function in Zimbra Collaboration. In the latest point out, EclecticIQ researchers analyzed a marketing campaign just like the one described in our blogpost. The primary distinction is that the HTML hyperlink resulting in the pretend Zimbra login web page is positioned instantly within the e mail physique.


Regardless of this marketing campaign not being so technically subtle, it’s nonetheless in a position to unfold and efficiently compromise organizations that use Zimbra Collaboration, which stays a beautiful goal for adversaries. Adversaries leverage the truth that HTML attachments include authentic code, and the one telltale aspect is a hyperlink pointing to the malicious host. This manner, it’s a lot simpler to avoid reputation-based antispam insurance policies, in comparison with phishing methods the place a malicious hyperlink is instantly positioned within the e mail physique. The recognition of Zimbra Collaboration amongst organizations anticipated to have decrease IT budgets ensures that it stays a beautiful goal for adversaries.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at
ESET Analysis gives non-public APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.


ESET detection names



We’re unable to share file IoCs as a result of samples include delicate info.


Hosts used to exfiltrate harvested credentials are hosted on shared servers. Detections based mostly solely on IP addresses might result in false positives.



Internet hosting supplier

First seen




Hostinger Worldwide Ltd, NL


Malicious host used to exfiltrate harvested credentials.



Hostinger Worldwide Ltd, NL


Malicious host used to exfiltrate harvested credentials.



Hostinger Worldwide Ltd, NL


Malicious host used to exfiltrate harvested credentials.



Hostinger Worldwide Ltd, NL


Malicious host used to exfiltrate harvested credentials.



Hostinger Worldwide Ltd, NL


Malicious host used to exfiltrate harvested credentials.



Hostinger Worldwide Ltd, NL


Malicious host used to exfiltrate harvested credentials.



Eonix Company, US


Malicious host used to exfiltrate harvested credentials.




This desk was constructed utilizing version 13 of the MITRE ATT&CK framework.





Useful resource Improvement


Compromise Accounts: E mail Accounts

The adversary used beforehand compromised e mail accounts for marketing campaign spreading.


Set up Accounts: E mail Accounts

The adversary created new e mail accounts to facilitate the marketing campaign.

Preliminary Entry


Phishing: Spearphishing Attachment

The marketing campaign was unfold by malicious HTML recordsdata in e mail attachments.



Consumer Execution: Malicious File

A profitable assault depends on the sufferer clicking on a malicious file within the attachment.



Create Account

The adversary created new e mail accounts on compromised Zimbra situations for additional spreading of the phishing marketing campaign.



Enter Seize: Internet Portal Seize

The adversary captured credentials inserted to a pretend login web page.



Exfiltration Over Various Protocol: Exfiltration Over Uneven Encrypted Non-C2 Protocol

The adversary exfiltrated passwords by POST requests despatched over the HTTPS protocol.

Date: 2023-08-17 05:54:26

Source link



Related articles

Alina A, Toronto
Alina A, Toronto
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.


Please enter your comment!
Please enter your name here