Unknown threat actors have been observed attempting to exploit a patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials.
Russian cyber security company Positive Technologies said it discovered last month that the email was sent to an unidentified government organization located in a Commonwealth of Independent States (CIS) country. However, it should be noted that the message was originally sent in June 2024.
“The email appeared to be a plain text message containing only an attached document,” the report said said in an analysis published earlier this week.
“However, the mail client did not show the attachment. The body of the email contained special tags with the eval(atob(…)) statement, which decodes and executes JavaScript code.”
The chain of attacks, according to Positive Technologies, is an attempted exploit CVE-2024-37383 (CVSS score: 6.1), saved cross-site script (XSS) vulnerability through Animated SVG attributes that allow arbitrary JavaScript to be executed in the context of the victim’s web browser.
In other words, a remote attacker can download arbitrary JavaScript code and gain access to sensitive information simply by forcing an email recipient to open a specially crafted message. The question since then it’s decided in versions 1.5.7 and 1.6.7 as of May 2024.
“By inserting the JavaScript code as the value for ‘href’, we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email,” Positive Technologies noted.
The JavaScript payload in this case stores an empty Microsoft Word attachment (“Road map.docx”) and then proceeds to retrieve messages from the mail server using the ManageSieve plugin. It also displays a login form in an HTML page that is displayed to the user to trick victims into providing their credentials to Roundcube.
At the final stage, the received information about the username and password is transferred to a remote server (“libcdn(.)org“), hosted by Cloudflare.
It is currently unclear who is behind the exploit, although previous flaws discovered in Roundcube have been exploited several hacker groups such as APT28, Winter Vivern and TAG-70.
“While Roundcube Webmail may not be the most widely used email client, it remains a target for hackers due to its widespread use by government agencies,” the company said. “Attacks against this software can cause significant damage, allowing cybercriminals to steal sensitive information.”
