Python/Zimbra.E6FB!tr
Analysis
Python/Zimbra.E6FB!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Python/Zimbra.E6FB!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This detection is for Python source code that is used to perform attacks through the Zimbra exploit. Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries, including over 1,000 government and financial organizations.
- Zimbra Collaboration (ZCS) contains flaws in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. The Zimbra auth bypass bug was exploited to breach over 1,000 servers.
- This vulnerability was chained with CVE-2022-37042, which allows for unauthenticated remote code execution, and Zimbra UnRAR Path Traversal (CVE-2022-30333), which allows for unauthenticated remote code execution.
- Following are some of the exact file hashes associated with this detection:
- Md5: e6fb13bd747c6f0370c08d6bbbce8b9a
Sha256: ca0f5b8e2038241415fba603b901534752f2529d4c8d1c1134f97e76d1935fef
- Md5: e6fb13bd747c6f0370c08d6bbbce8b9a
Outbreak Alert
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files. By bypassing authentication, an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. The vulnerability exists due to an incomplete fix for CVE-2022-27925.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |