This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts.
Key points of this blogpost:
- In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.
- In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
- For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1.
- Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
- We provide an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.
- These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox.
- Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication.
Sednit profile
The Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004. The US Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 US elections and linked the group to the GRU. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents. Sednit has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016.
Links to Sednit
On September 29th, 2023, we detected a spearphishing email, part of Operation RoundPress, sent from katecohen1984@portugalmail[.]pt (envelope-from address). The email exploited CVE‑2023‑43770 in Roundcube. This email address is very similar to the ones used in other Sednit campaigns in 2023, as documented by Unit42 for example.
Leveraging a network scan we ran in February 2022, we found the server 45.138.87[.]250 / ceriossl[.]info, which was configured in the same unique way as 77.243.181[.]238 / global-world-news[.]net. The former was mentioned in a Qianxin blogpost describing a campaign abusing CVE-2023-23397 that attributed it to Sednit. The latter is a domain used in Operation RoundPress in 2023.
Given these two elements, we believe with medium confidence that Operation RoundPress is carried out by Sednit.
Victimology
Table 1 and Figure 1 detail targets of Operation RoundPress in 2024, from ESET telemetry and two samples on VirusTotal.
Most of the targets are related to the current war in Ukraine; they are either Ukrainian governmental entities or defense companies in Bulgaria and Romania. Notably, some of these defense companies are producing Soviet-era weapons to be sent to Ukraine.
Other targets include African, EU, and South American governments.
Table 1. Operation RoundPress victims in 2024
| Date | Country | Sector |
| 2024-05 | Greece | National government. |
| Romania | Unknown (VirusTotal submission). | |
| Ukraine | Specialized Prosecutor’s Office in the Field of Defense of the Western Region (VirusTotal submission). | |
| 2024-06 | Bulgaria | Telecommunications for the defense sector. |
| Cameroon | National government. | |
| Ukraine | Military. | |
| 2024-07 | Ecuador | Military. |
| Ukraine | Regional government. | |
| Serbia | National government. | |
| 2024-09 | Cyprus | An academic in environmental studies. |
| Romania | Defense company. | |
| Ukraine | Military. | |
| 2024-10 | Bulgaria | Defense company. |
| 2024-11 | Bulgaria | Defense company (not the same as in 2024-10). |
| Ukraine | Civil air transport company. | |
| Defense company. | ||
| 2024-12 | Ukraine | State company in the transportation sector. |
Compromise chain
Initial access
In 2023, Sednit was exploiting CVE-2020-35730, a known XSS vulnerability in Roundcube (see this CERT-UA blogpost and this Recorded Future report), which enables the loading of arbitrary JavaScript code in the context of the webmail window.
In 2024, we observed different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Sednit also started to use a more recent vulnerability in Roundcube, CVE-2023-43770. The MDaemon vulnerability (CVE-2024-11182, now patched) was a zero day, most likely discovered by Sednit, while the ones for Horde, Roundcube, and Zimbra were already known and patched.
Sednit sends these XSS exploits by email. The exploits lead to the execution of malicious JavaScript code in the context of the webmail client web page running in a browser window. Therefore, only data accessible from the victim’s account can be read and exfiltrated.
Note that, in order for the exploit to work, the target must be convinced to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering and the subject line needs to be convincing enough to entice the target into reading the email message.
Figure 2 summarizes the compromise chain used in Operation RoundPress.
Generally, the email message looks benign and contains text about news events. For example, on September 11th, 2024, a Ukrainian target received a phishing email from kyivinfo24@ukr[.]net with the subject СБУ схопила банкіра, який працював на ворожу воєнну розвідку в Харкові (machine translation: SBU arrested a banker who worked for enemy military intelligence in Kharkiv). The message body – see Figure 3 – contains excerpts (in Ukrainian) and links to articles from Kyiv Post, a well-known newspaper in Ukraine. The malicious code that triggers the XSS vulnerability is inside the HTML code of the email message’s body and is not directly visible to the user.
Another example is an email from office@terembg[.]com to a Bulgarian target on November 8th, 2024, with the subject Путин се стреми Тръмп да приеме руските условия вдвустранните отношения (machine translation: Putin seeks Trump’s acceptance of Russian conditions in bilateral relations). The message body – see Figure 4 – again contains excerpts (in Bulgarian) and links to articles from News.bg, a legitimate Bulgarian newspaper.
Note that some of these vulnerabilities are not of interest exclusively to this group: GreenCube (also known as UNC3707) and Winter Vivern have been exploiting them as well.
Horde: Unknown exploit
For targets using Horde webmail, we have seen Sednit using an old vulnerability. We were unable to find the exact vulnerability, but it appears to be an XSS flaw that was already fixed in the first version of Xss.php committed to GitHub, and in Horde Webmail 1.0, which was released in 2007.
The intended exploit used by Sednit is shown in Figure 5. Placing malicious JavaScript code in the onerror attribute of an img element is a technique taken straight from the XSS playbook: because the src attribute is x, an undefined value, onerror is called and the payload is base64 decoded and then evaluated using window.parent.eval.
In Horde Webmail version 1.0, the XSS filter removes the style elements and the on* attributes, such as onerror. Thus, we believe that Sednit made a mistake and tried to use a nonworking exploit.
MDaemon: CVE-2024-11182
On November 1st, 2024, we detected an email message sent to two Ukrainian state-owned defense companies and a Ukrainian civil air transport company.
This message exploited a zero-day XSS vulnerability in MDaemon Email Server, in the rendering of untrusted HTML code in email messages. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1, which was released on November 14th, 2024; we then issued CVE-2024-11182 for it.
The exploit used by Sednit is shown in Figure 6. Just as for Horde, it relies on a specially crafted img element, but uses a bug in the MDaemon HTML parser where a noembed end tag inserted within the title attribute of a p element tricks the parser into rendering the immediately succeeding img tag.
Roundcube: CVE-2023-43770
For targets using Roundcube webmail: in 2023, Sednit used the XSS vulnerability CVE‑2020‑35730, while in 2024, it switched to CVE-2023-43770.
The more recent vulnerability was patched on September 14th, 2023 in this GitHub commit. The fix is in a regex in the rcube_string_replacer.php script. The exploit used by Sednit is quite simple and is depicted in Figure 7.
In rcube_string_replacer.php, URLs are converted to hyperlinks, and the hyperlink text is what is expected to be provided between the outer set of square brackets. The bug lies in the fact that the hyperlink text is not properly sanitized, allowing the characters < and >. This enables an attacker to provide JavaScript code contained between <script> and </script>, which is directly added to the page when the email is rendered in Roundcube.
Zimbra: CVE-2024-27443 / ZBUG-3730
For Zimbra, Sednit uses CVE-2024-27443 (also tracked as ZBUG-3730). It was patched on March 1st, 2024 in this GitHub commit, in the ZmInviteMsgView.js file. The vulnerability lies in failing to sanitize the cif (calendar intended for) attribute, in a calendar invitation sent by email.
The cif attribute is populated from the email header X-Zimbra-Calendar-Intended-For. Before the patch, the value was directly added to the Zimbra HTML page without sanitization. This allowed the execution of malicious JavaScript code in the context of the webmail browser window.
The exploit code that we found in this header is the following:
Zimbra Calendar<img/alt=””/src=”https://www.welivesecurity.com/en/eset-research/operation-roundpress/Zimbra-Calendar”/onerror=\”window[(function(tmz){ghwa=”cxe”;return ‘\\x65’+decodeURI(‘%76′)+’\\x61\\x6c’})()](window[(function(jvqka){const kqd=decodeURI(‘%61’)+’\t’+decodeURI(‘%6F’)+’\\x62′; oykbg=’doix’; return kqd})()](frames[0].document.getElementById(‘a-cashed-skinLayout2’)[‘\inn\e\r\T\e\xt’]))\”>
The beautified code contained in the onerror attribute is:
window[‘eval’](window[(function(jvqka){‘atob'()](frames[0].document.getElementById(‘a-cashed-skinLayout2’)[‘innerText’]))
Basically, this reads the text contained in a div element, identified by ID a-cashed-skinLayout2, that is present in the body of the calendar invite. This div element uses the style attribute with the value display:none so that it is not visible to the target. The inner text contains base64-encoded JavaScript code that is run using eval.
Persistence
The JavaScript payloads (SpyPress) loaded by the XSS vulnerabilities don’t have true persistence, but they are reloaded every time the victim opens the malicious email.
In addition, we detected a few SpyPress.ROUNDCUBE payloads that have the ability to create Sieve rules. SpyPress.ROUNDCUBE creates a rule that will send a copy of every incoming email to an attacker-controlled email address. Sieve rules are a feature of Roundcube and therefore the rule will be executed even if the malicious script is no longer running.
Credential access
All SpyPress payloads have the ability to steal webmail credentials by trying to trick the browser or password manager to fill webmail credentials into a hidden form. In addition, some samples also try to trick the victim by logging them out of their webmail account and displaying a fake login page.
Collection and exfiltration
Most SpyPress payloads collect email messages and contact information from the victim’s mailbox. The data is then exfiltrated via an HTTP POST request to a hardcoded C&C server.
Toolset
In 2024, we have observed Sednit using four payloads in Operation RoundPress: SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. They are injected into the victims’ webmail context using XSS vulnerabilities, as explained above.
The four payloads have common characteristics. All are similarly obfuscated, with variable and function names replaced with random-looking strings – see Figure 8. Furthermore, strings used by the code, such as webmail and C&C server URLs, are also obfuscated and contained in an encrypted list. Each of those strings is only decrypted when it is used. Note that the variable and function names are randomized for each sample, so the final SpyPress payloads will have different hashes.
Another common characteristic is that there are no persistence or update mechanisms. The payload is fully contained in the email and only executed when the email message is viewed from a vulnerable webmail instance.
Finally, all payloads communicate with their hardcoded C&C servers via HTTP POST requests. There is a small number of C&C servers that are shared by all payloads (there is no separation by victim or payload type).
SpyPress.HORDE
SpyPress.HORDE is the JavaScript payload injected into vulnerable Horde webmail instances. Once deobfuscated, and functions and variables are manually renamed, it reveals its main functionality: collecting and exfiltrating user credentials.
Capabilities
To steal credentials, as shown in Figure 9, SpyPress.HORDE creates two HTML input elements: horde_user and horde_pass. Their width and opacity are set to 0%, ensuring that they are not visible to the user. The goal is to trick browsers and password managers into filling those values. Note that a callback for the change event is created on the input horde_pass. This calls the function input_password_on_change as soon as the input element loses focus after its value is changed.
Then, input_password_on_change exfiltrates the data by calling C2_POST_Request, as can be seen in Figure 10.
Network protocol
The C&C URL is hardcoded in the script (see Figure 10) and the exfiltration is done via an HTTPS POST request.
The body data has a specific format that is sent base64 encoded. For example, bWVAdmljdGltLm9yZyA6OiBweAoKbXl1c2VybmFtZSBteXBhc3N3b3Jk decodes to:
me@victim.org :: px
myusername mypassword
where px probably means password exfiltration.
Note that the HTTP request is made by the victim’s browser, so HTTP headers such as the User-Agent will vary from victim to victim.
SpyPress.MDAEMON
SpyPress.MDAEMON is a JavaScript payload injected into vulnerable MDaemon webmail instances. Once deobfuscated, it reveals more functionality than what was implemented in SpyPress.HORDE:
- credential stealing (very similar to the SpyPress.HORDE implementation),
- exfiltration of contacts and login history,
- exfiltration of email messages,
- exfiltration of the two-factor authentication secret, and
- creation of an App Password, which enables attackers to access the mailbox from a mail application and to bypass 2FA protection.
Capabilities
Credential stealer
The credential stealer of SpyPress.MDAEMON is almost identical to that of SpyPress.HORDE – see Figure 11. The only difference is the name of the input fields, which are User and Password, to match the official names used in the MDaemon software.
Contacts and login history
SpyPress.MDAEMON obtains the victim’s login history from https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Options-Authentication&GetLoginHistory=Yes, and exfiltrates the content to the hardcoded C&C server. It uses the same function used in the credential stealer part to send an HTTP POST request to the C&C server, but instead of px, it uses ab as the message type.
Then, as shown in Figure 12, the script obtains the victim’s contact list from https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Contacts. This list, and the associated email addresses (in the eml JavaScript property), are then exfiltrated to the C&C server.
Email message exfiltration
SpyPress.MDAEMON browses the victim’s mailbox folders, as shown in Figure 13, and filters out a hardcoded list of folders the attackers are not interested in: calendar, notes, documents, contacts, tasks, allowed senders, and blocked senders.
Then, for each folder, as shown in Figure 14, SpyPress.MDAEMON iterates over the pages and then over all messages in each page, before exfiltrating each email to the C&C server.
To get a list of email messages in a given folder page, SpyPress.MDAEMON fetches https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=List&ReturnJavaScript=1&FolderID=<folder_ID>&Sort=RevDate&Page=<page>&UTF8=1.
Then, it iterates over this list and fetches https://<webmail_URL>/WorldClient.dll?Session=<session_ID>& View=Message&Source=Yes&Number=<email_ID>&FolderId=<folder_ID> to get the source of each email.
Finally, the email source is exfiltrated via an HTTP POST request to the C&C server, using the message type mail-<folder_name>-<email_ID>. An HTTP POST request is made for each exfiltrated email, and thus it will create a large amount of network traffic.
Note that the script maintains a list of exfiltrated emails, thereby avoiding the exfiltration several times.
Also note that the obfuscator seems to have introduced errors in the script. In the function download_all_messages_from_folder, is_folder_limit is a real variable name that was left unobfuscated. However, it is not used anywhere in the code.
Two-factor authentication secret
SpyPress.MDAEMON exfiltrates the victim’s two-factor authentication secret – see Figure 15. It first fetches https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Options-Authentication&TwoFactorAuth=Yes&GetSecret=Yes to get the secret, and then sends it to the C&C server, using the message type 2fa.
To view the secret, the password is required, which SpyPress.MDAEMON gets from the fake login form it created. This secret is equivalent to the QR code mentioned in MDaemon documentation and it can be used to register the account in an authentication app, to then generate a valid 2FA code for the victim’s account. Because SpyPress.MDAEMON acquires the password and the 2FA secret, attackers will be able to log into the account directly.
App Password creation
In addition to stealing the 2FA secret, SpyPress.MDAEMON creates an App Password (see the documentation). This password can be used in an email client to send and receive messages, without having to enter the 2FA code, even if 2FA is activated for the account. Note that MDaemon webmail doesn’t seem to require a 2FA code to generate a new application password.
As shown in Figure 16, SpyPress.MDAEMON fetches https://<webmail_URL>/WorldClient.dll?Session=<session_ID>&View=Options-Authentication&CreateAppPassword=1s to create a new application password. The reply is this password, which is exfiltrated to the C&C server with the message type create-app.
In other words, this application password enables attackers to add the email account directly to their own email client. They can thereby keep access to the mailbox even if the main password of the victim’s account is changed or if the 2FA code is changed.
Network protocol
SpyPress.MDAEMON uses the same network protocol as SpyPress.HORDE.
SpyPress.ROUNDCUBE
SpyPress.ROUNDCUBE is the JavaScript payload injected into vulnerable Roundcube webmail instances. Once deobfuscated, it reveals similar functionalities to what is implemented in SpyPress.MDAEMON:
- credential stealing,
- exfiltration of the address book and the about page,
- exfiltration of emails, and
- malicious Sieve rules.
Capabilities
Credential stealer
The credential stealer of SpyPress.ROUNDCUBE has two features. The first one is almost identical to the credential stealer of SpyPress.HORDE and SpyPress.MDAEMON. The only difference is the name of the input fields, which are _user and _pass, to match the official names used in the Roundcube software.
The second feature is slightly more intrusive. SpyPress.ROUNDCUBE creates an iframe, as shown in Figure 17, with the src attribute set to https://<webmail_URL>/?_task=logout&_token=<CSRF_token>. This logs the victim out, forcing them to reenter their credentials. SpyPress.ROUNDCUBE adds a callback on the submit button of the genuine login form. Finally, the credentials are exfiltrated to the hardcoded C&C server using the message type pax-fish.
Note that the CSRF token is retrieved from the variable rcmail.env.request_token. The rcmail global variable is managed and filled by the Roundcube instance, and accessible in the JavaScript context that SpyPress.ROUNDCUBE is running in.
Exfiltration of the address book and the about page
SpyPress.ROUNDCUBE fetches the address book at
https://<webmail_URL>/?_task=addressbook&_source=0&_action=export&&_token=<CSRF_token> and sends the raw output to the C&C server.
Similarly, SpyPress.ROUNDCUBE fetches the about page at https://<webmail_URL>/?_task=settings&_framed=1&_action=about and sends the raw output to the C&C server.
That page contains information about the Roundcube version and the plugins installed, as shown in Figure 18.
Email message exfiltration
SpyPress.ROUNDCUBE starts the email exfiltration routine every 7,200 seconds (two hours).
First, it gets the list of mailboxes from the global variable rcmail.env.mailboxes. Then, it iterates over all those mailboxes; for each of them, it iterates over the pages to get the email message IDs by fetching https://<webmail_URL>/?_task=mail&_action=list&_mbox=<mailbox_name>&_refresh=1&_remote=1&_page=<current_page>. Note that SpyPress.ROUNDCUBE adds the HTTP header X-Roundcube-Request, which contains the CSRF token.
Also note that there is a lower bound time hardcoded in the script, 6:02:03 am, October 1st, 2024 in the specific script sample we analyzed, and only emails more recent than this are exfiltrated.
The source of each email message is fetched from
https://<webmail_URL>/?_task=mail&_mbox=<mailbox>&_uid=<email_ID>&_action=viewsource and then exfiltrated to the C&C server.
Note that if SpyPress.ROUNDCUBE has exfiltrated more than 150 emails in a row, it stops the exfiltration until the next execution of the email exfiltration routine (two hours later). This is probably done to limit the noise on the victim’s network and avoid detection.
Malicious Sieve rules
In some SpyPress.ROUNDCUBE samples, there is additional functionality related to Sieve rules – see Figure 19. SpyPress.ROUNDCUBE creates a rule that sends a copy of every incoming email message to an attacker-controlled email address (srezoska@skiff[.]com in this case). Skiff was a privacy-oriented email service that provided end-to-end encryption.
Network protocol
SpyPress.ROUNDCUBE uses the same network protocol as SpyPress.HORDE.
SpyPress.ZIMBRA
SpyPress.ZIMBRA is the JavaScript payload injected into vulnerable Zimbra webmail instances. Once deobfuscated, it reveals similar functionalities to the previous payloads:
- credential stealing,
- exfiltration of contacts and settings, and
- exfiltration of email messages.
Capabilities
Credential stealer
The credential stealer of SpyPress.ZIMBRA is almost identical to those of SpyPress.HORDE and SpyPress.MDAEMON. The only difference is the name of the input fields, which are username and password, to match the official names used in the Zimbra software.
Exfiltration of contacts and settings
SpyPress.ZIMBRA fetches the victim’s contact list by making a SOAP request to the Zimbra API endpoint https://<webmail_URL>/service/soap/SearchRequest. As shown in Figure 20, the search query is contained in a dictionary that it is sent to the Zimbra server in the body of a POST request. Finally, SpyPress.ZIMBRA exfiltrates the raw output to the C&C server.
SpyPress.ZIMBRA also exfiltrates to the C&C server the content of the global variable ZmSetting, which contains various configuration and preference values. This is similar to SpyPress.ROUNDCUBE, which exfiltrates the about page.
Email exfiltration
Every 14,400 seconds (four hours), using the setInterval function, this payload starts its email exfiltration routine.
As for the previous payloads, SpyPress.ZIMBRA first lists the folders, then iterates over the first 80 emails in each folder via a SOAP request to https://<webmail_URL>/service/soap/SearchRequest. For each message, the script fetches the source at https://<webmail_URL>/service/home/~/?auth=co&view=text&id=<email_ID> and then exfiltrates the email message source – see Figure 21.
Network protocol
SpyPress.ZIMBRA uses the same network protocol as SpyPress.HORDE.
Conclusion
Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern. Because many organizations don’t keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
IoCs
A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
| 41FE2EFB38E0C7DD10E6 |
N/A | JS/Agent.RSO | SpyPress.ZIMBRA. |
| 60D592765B0F4E08078D |
N/A | JS/Exploit.Agent.NSH | XSS exploit for CVE-2023-43770. |
| 1078C587FE2B246D618A |
N/A | JS/Exploit.Agent.NSH | SpyPress.ROUNDCUBE. |
| 8EBBBC9EB54E216EFFB4 |
N/A | HTML/Phishing.Agent.GNZ | XSS exploit for CVE-2024-11182. |
| F95F26F1C097D4CA3830 |
N/A | HTML/Phishing.Agent.GNZ | SpyPress.MDAEMON. |
| 2664593E2F5DCFDA9AAA |
N/A | JS/Agent.SJU | Probable XSS exploit for Horde. |
| B6C340549700470C6510 |
N/A | JS/Agent.SJU | SpyPress.HORDE. |
| 65A8D221B9ECED76B9C1 |
N/A | HTML/Phishing.Gen | SpyPress.ROUNDCUBE. |
| 6EF845938F064DE39F4B |
N/A | N/A | Email exploiting CVE-2023-43770, found on VirusTotal. |
| 8E6C07F38EF920B5154F |
N/A | JS/Agent.RSP | SpyPress.ROUNDCUBE. |
| AD3C590D1C0963D62702 |
N/A | JS/Agent.RSN | SpyPress.ZIMBRA. |
| EBF794E421BE60C95320 |
N/A | JS/Agent.RTD | SpyPress.ROUNDCUBE. |
| F81DE9584F0BF3E55C6C |
N/A | JS/Agent.RWO | SpyPress.ROUNDCUBE. |
| A5948E1E45D50A8DB063 |
N/A | JS/Exploit.Agent.NSG | XSS exploit for CVE-2023-43770. |
Network
| IP | Domain | Hosting provider | First seen | Details |
| 185.225.69[.]223 | sqj[.]fr | 23VNet Kft. | 2024‑06‑01 | SpyPress C&C server. |
| 193.29.104[.]152 | tgh24[.]xyz tuo[.]world |
GLOBALAXS NOC PARIS | 2024‑06‑04 | SpyPress C&C server. |
| 45.137.222[.]24 | lsjb[.]digital | Belcloud Administration | 2024‑07‑03 | SpyPress C&C server. |
| 91.237.124[.]164 | jiaw[.]shop | HOSTGNOME LTD | 2023‑09‑28 | SpyPress C&C server. |
| 185.195.237[.]106 | hfuu[.]de | Network engineer | 2024‑06‑03 | SpyPress C&C server. |
| 91.237.124[.]153 | raxia[.]top | Damien Cutler | 2024‑06‑03 | SpyPress C&C server. |
| 146.70.125[.]79 | rnl[.]world | GLOBALAXS NOC PARIS | 2024‑06‑07 | SpyPress C&C server. |
| 89.44.9[.]74 | hijx[.]xyz | M247 Europe SRL | 2024‑07‑05 | SpyPress C&C server. |
| 111.90.151[.]167 | ikses[.]net | Shinjiru Technology Sdn Bhd | 2024‑12‑01 | SpyPress C&C server. |
MITRE ATT&CK techniques
This table was built using version 17 of the MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | Sednit bought domains at various registrars. |
| T1583.004 | Acquire Infrastructure: Server | Sednit rented servers at M247 and other hosting providers. | |
| T1587.004 | Develop Capabilities: Exploits | Sednit developed (or acquired) XSS exploits for Roundcube, Zimbra, Horde, and MDaemon. | |
| T1587.001 | Develop Capabilities: Malware | Sednit developed JavaScript stealers (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) to steal data from webmail servers. | |
| Initial Access | T1190 | Exploit Public-Facing Application | Sednit exploited known and zero-day vulnerabilities in webmail software to execute JavaScript code in the context of the victim’s webmail window. |
| Execution | T1203 | Exploitation for Client Execution | SpyPress payloads are executed when a victim opens the malicious email in a vulnerable webmail client page. |
| Defense Evasion | T1027 | Obfuscated Files or Information | SpyPress payloads are obfuscated with an unknown JavaScript obfuscator. |
| Credential Access | T1187 | Forced Authentication | SpyPress payloads can log out users to entice them into entering their credentials in a fake login form. |
| T1556.006 | Modify Authentication Process: Multi-Factor Authentication | SpyPress.MDAEMON can steal the 2FA token and create an application password. | |
| Discovery | T1087.003 | Account Discovery: Email Account | SpyPress payloads get information about the email account, such as the contact list. |
| Collection | T1056.003 | Input Capture: Web Portal Capture | SpyPress payloads try to steal webmail credentials by creating a hidden login form, to trick the browser and password managers into filling the credentials. |
| T1119 | Automated Collection | SpyPress payloads automatically collect credentials and email messages. | |
| T1114.002 | Email Collection: Remote Email Collection | SpyPress payloads collect and exfiltrate emails, from the victim’s mailbox. | |
| T1114.003 | Email Collection: Email Forwarding Rule | SpyPress.MDAEMON adds a Sieve rule to forward any incoming email to an attacker-controlled email address. | |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | C&C communication is done via HTTPS. |
| T1071.003 | Application Layer Protocol: Mail Protocols | In case of email forwarding rules, the exfiltration is done via email. | |
| T1132.001 | Data Encoding: Standard Encoding | Data is base64 encoded before being sent to the C&C server. | |
| Exfiltration | T1020 | Automated Exfiltration | SpyPress payloads automatically exfiltrate credentials and email messages to the C&C server. |
| T1041 | Exfiltration Over C2 Channel | SpyPress payloads exfiltrate data over the C&C channel. |
