Cyberespionage group Winter Vivern (UAC-0114, TA473) has been observed exploiting a zero-day XSS flaw in the Roundcube Webmail server in attacks targeting Roundcube Webmail servers belonging to Europe-based governmental entities and a think tank, according to ESET researchers.

Tracked as CVE-2023-5631, the targeted vulnerability is a cross-site scripting issue that can be used by a remote attacker to execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website. 

Besides CVE-2023-5631, which Winter Vivern has been exploiting since October 11, 2023, the threat actor has also taken advantage of another Rouncube XSS vulnerability (CVE-2020-35730), ESET said.

Winter Vivern has been active since at least 2020 targeting governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor. While the group has not been linked to any particular government, security researchers say that the threat actor’s targeting aligns with the support of Russian and/or Belarussian geopolitical goals related to the Russia-Ukraine War.

ESET said it “believes with low confidence” that Winter Vivern is linked to MoustachedBouncer, a sophisticated Belarus-aligned group first detailed in August 2023.

According to researchers, Winter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least 2022.

The group’s most recent campaign involved phishing messages impersonating the Outlook Team in an attempt to trick potential victims into opening malicious emails. Once the email is opened, a first-stage payload (a JavaScript code) is triggered that exploits the Roundcube email server bug.

“In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required,” ESET explained.

The final JavaScript payload lists folders and emails in the current Roundcube account, and exfiltrates email messages to the command-and-control (C&C) server.

“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube,” the researchers noted. “Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”