Unknown threat actors exploit Roundcube Webmail flaw in phishing campaign

Hackers exploited a now-patched Roundcube flaw in a phishing attack to steal user credentials from the open-source webmail software.

Researchers from Positive Technologies warn that unknown threat actors have attempted to exploit a now-patched vulnerability, tracked as CVE-2024-37383 (CVSS score: 6.1), in the open-source Roundcube webmail software.

The attackers have exploited the flaw as part of a phishing campaign aimed at stealing the credentials of Roundcube users.

In September 2024, Positive Technologies discovered an email sent to a governmental organization in a CIS country. The analysis of the timestamps indicates that the email was sent in June 2024. The content of the email was empty, and the message only included an attached document that was not visible in the email client.

The body of the email contained distinctive tags with the statement eval(atob(…)) used by the attackers to decode and execute JavaScript code. The researchers noticed that the attribute name (attributeName=”href “) contains an extra space, indicating that the email was an attempt to exploit the CVE-2024-37383 vulnerability in Roundcube Webmail.

Roundcube attack

The vulnerability impacts Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7, an attacker could exploit the vulnerability to conduct XSS attacks via SVG animate attributes. The vulnerability has been addressed in versions 1.5.7 and 1.6.7 released in May 2024.

An attacker could trigger the vulnerability to execute arbitrary JavaScript code in the context of the recipient’s web browser.

An attacker could exploit the vulnerability by tricking the recipient into opening a specially crafted email using a vulnerable Roundcube client version.

“When an extra space is added to the “href” attribute name, the syntax will not be filtered and will appear in the final document. Before this, it will be formatted as {attribute name} = {attribute value}” reads the report published by Positive Technologies. “By inserting JavaScript code as the value for “href”, we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email.”

The researchers also published PoC exploit code for this vulnerability.

The JavaScript payload employed in the attack saves an empty Word document (“Road map.docx”) and retrieves messages from the mail server using the ManageSieve plugin.

The attack creates a fake login form in Roundcube’s interface, capturing user credentials and sending them to a malicious server (libcdn.org). The domain was registered in 2024.

“Vulnerabilities in Roundcube Webmail have been a frequent target for cybercriminals. The latest such attack was a campaign linked to the Winter Vivern group, which exploited the XSS vulnerability in Roundcube to target government organizations in several European countries. However, based on the available information, the attack described in this article cannot be linked to known actors.” concludes the report. “While Roundcube Webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies. Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Roundcube)