Need advice from security experts

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
rcbrei
Posts: 15
Joined: Mon Feb 01, 2021 7:16 pm

Need advice from security experts

Post by rcbrei »

I need help from security experts.

please tell me what this malware do, what are the risks to our business, and what can i do?

Here is exactly the same malware in an excel file that was attached in the spoofed emails that we received.
https://www.joesandbox.com/analysis/414 ... viceScreen

I cannot find much information about this malware.

here's what happened.

We have one employee using the webmail from godaddy, that employee received the spoofed email first. ran the malicious excel file,
and the next day, her name is now used to send emails to our domains in zimbra (foss, behind firewall).
Her name is now used but email is different (display name spoofing) with the same malicious excel file attached.
Then more than 2 employees under zimbra opened the same email. and now their names were also used. and the same scenario continues.

also, what is troubling is that, the spoofed email contains messages that the employee used to send before, really pretending to be that employee.
that is one of the main reason why there are many employees got tricked too. does that mean the spammer can see our previous emails?

actions I did:

*blocked the email sender from email gateway (scrolloutf1/proxmox/firewall) - getting the MX IP, spf, domain, client sender IP.
- but stopped this after i reached blocking 20 IP's. i thought this is impossible as spammer used too many domains, IP, mx server. and they are not stopping.
*send email to all employees to warn/inform/teach how to recognize spoofed email. this actually helped to decrease more victims in our company. (this is just reminder, we have policies that inform them about this one, but ofc 90% of employees ignore or do not read email policies)
*scanned their computers for potential remaining malware. we use avast. it did not detect the excel file though.


what worries me is ransomware and idk if they are already in our servers.
we have pbx, zimbra, web server.


pls advice what to do and if you have encounter this malware before?
Post Reply