Threat Research

FancyBearSpyPressXSSCampaign

Securonix
FancyBearSpyPressXSSCampaign

Operation RoundPress is a cyberespionage campaign by Fancy Bear using SpyPress malware to exploit XSS vulnerabilities in webmail systems, primarily targeting Ukrainian government entities and defense contractors. The campaign has expanded globally in 2024, exploiting zero-day and known vulnerabilities across multiple webmail platforms. #OperationRoundPress #SpyPress #FancyBear

Keypoints

  • Operation RoundPress deploys SpyPress malware via spearphishing and XSS vulnerabilities to steal email data from targeted webmail servers.
  • A zero-day XSS vulnerability in MDaemon (CVE-2024-11182) was exploited in 2024 for SpyPress deployment.
  • Primary targets include Ukrainian government organizations and defense contractors in Bulgaria and Romania involved with Soviet-era weaponry.
  • The campaign also affects government entities in Africa, the European Union, and South America, indicating broad geopolitical reach.
  • SpyPress exploits platforms such as Roundcube, Horde, MDaemon, and Zimbra using platform-specific vulnerabilities.
  • Fancy Bear, linked to the Russian GRU, has operated since at least 2004 and employs sophisticated malware and phishing techniques for espionage.
  • Notable Fancy Bear tactics include look-alike domains, zero-day exploits, and persistent access tools like CompuTrace.

MITRE Techniques

  • [T1566] Phishing – Spearphishing emails were used to deliver the SpyPress JavaScript payload. (“Fancy Bear uses spearphishing to deliver SpyPress”)
  • [T1059.007] Command and Scripting Interpreter: JavaScript – SpyPress uses malicious JavaScript injected via XSS vulnerabilities to exfiltrate email data. (“deploys SpyPress malware via cross-site scripting (XSS) vulnerabilities”)
  • [T1203] Exploitation for Client Execution – Zero-day and known XSS vulnerabilities including CVE-2024-11182 in MDaemon were exploited to execute JavaScript. (“A zero-day XSS vulnerability (CVE-2024-11182) in MDaemon was exploited”)
  • [T1136.001] Create Account: Local Account – Look-alike domains were used for credential harvesting and maintaining persistence. (“Fancy Bear uses look-alike domains to facilitate credential harvesting”)
  • [T1071.001] Application Layer Protocol: Web Protocols – Command and control communications used HTTP and DNS protocols to exfiltrate data. (“Their command-and-control infrastructure combines HTTP and DNS protocols”)

Indicators of Compromise

  • [File Hash] Samples associated with SpyPress malware activity – 335b1cd7708284fc1c2c6678f2f8d6737d68935ec992d680ff540f2e72774665, 625e4c166c7a1d5a1becf56b27d4f76a2f95935cbd8d556c30a493263d10dbf8
  • [CVE] Vulnerabilities exploited – CVE-2024-11182 (MDaemon zero-day XSS), CVE-2023-43770 (Roundcube XSS)

Read more: https://blog.polyswarm.io/fancy-bears-spypress-malware