Russian state-affiliated hacker gang APT29 is exploiting the CVE-2023-38831 vulnerability in WinRAR 6.23 and older versions. A combined tactic of “old-school phishing and new cloaking capabilities” is used for this purpose. This is what the Ukrainian National Security and Defense Council (NDSC) indicates in an alert.
The Ukrainian NDSC reports that APT29 hackers have been actively exploiting the WinRAR vulnerability CVE-2023-38831 for attacks against European countries since October of this year. Attacks using this vulnerability occurred in Azerbaijan, Greece, Romania and Italy, among others, explicitly targeting Ukrainian embassies.
WinRAR vulnerability
The WinRAR vulnerability allows the creation of WinRAR and ZIP files that distribute malicious payloads. Via ‘old school’ phishing, recipients are enticed to unpack and download these files, for example, via pdf file of a (BMW) car advertisement sent in an e-mail.
The malicious payload is activated by clicking on a legitimate file such as a PNG or JPEG image. This manipulated image causes the download of PowerShell code that, in turn, downloads and executes the malicious payload.
Combination with Ngrok technology
In addition to the vulnerability in the WinRAR code and the use of more traditional phishing attacks, the hackers also use a new technique to disguise contact with the malicious server. To do this, the Russian hackers use a so-called free “Ngrok” static domain to access the C2 server hosted on their Ngrok instance.
In this way, they can then disguise their activity and communication with affected systems and thus carry out their malicious activities without fear of detection.
More clues exploits
Ukraine’s NDSC is not the first organization to report the active misuse of CVE-2023-38831. The vulnerability was discovered by Group-IB in April 2023. Since then, for example, ESET and Google have indicated that (state) hackers were actively exploiting this zero-day.
The Ukrainian NDSC has now published a list of indicators, such as PowerShell scripts and email attachments, that can be used to determine that systems can be actively abused via this combined hack attack.
Also read: WinRAR contains severe vulnerability, patch available