Hackers with pro-Russian affiliations are taking advantage of a newly discovered vulnerability in WinRAR in a fresh campaign
Hackers with pro-Russian affiliations are taking advantage of a newly discovered vulnerability in WinRAR in a fresh campaign
Cluster25 reported last week, "The attack employs malicious archive files that exploit the recently discovered vulnerability affecting versions of WinRAR compression software prior to 6.23, identified as CVE-2023-38831."
Within the archive, there is a rigged PDF file that, when opened, triggers the execution of a Windows Batch script. This script, in turn, initiates PowerShell commands to create a reverse shell, thereby granting the attacker remote access to the targeted host.
Additionally, a PowerShell script is deployed to extract data, including login credentials, from Google Chrome and Microsoft Edge browsers. The stolen information is transmitted via a legitimate web service called webhook.
CVE-2023-38831 pertains to a significant security flaw in WinRAR that permits attackers to execute arbitrary code when attempting to view a benign file within a ZIP archive. In August 2023, Group-IB revealed that this vulnerability had been exploited as a zero-day since April 2023 in attacks directed at traders.
These developments coincide with Mandiant, owned by Google, monitoring the rapidly evolving phishing operations of the Russian nation-state actor APT29. Their targets primarily consist of diplomatic entities, marking an increase in pace with a particular focus on Ukraine in the first half of 2023.
The substantial modifications to APT29's tools and tactics are likely intended to support their increased operational tempo and scope while making forensic analysis more challenging. The use of various infection chains across different operations is notable.
APT29, which has been associated with cloud-focused exploitation, is one of the numerous threat clusters originating from Russia that have intensified their focus on Ukraine since the beginning of the conflict early last year.
In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed Turla to attacks employing Capibar malware and the Kazuar backdoor for espionage operations targeting Ukrainian defense assets.
Trend Micro, in a recent report, stated, "The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives. Turla has continuously developed its tools and techniques over the years and is likely to keep refining them."
Ukrainian cybersecurity agencies revealed last month that Kremlin-backed threat actors targeted domestic law enforcement entities to gather information related to Ukrainian investigations into war crimes committed by Russian soldiers.
"In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), [and] UAC-0107 (CyberArmyofRussia)," as reported by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).
As a result of security enhancement efforts, CERT-UA recorded 27 critical cyber incidents in the first half of 2023, marking a significant reduction from 144 in the second half of 2022 and 319 in the first half of 2022. In total, the number of destructive cyberattacks affecting operations dropped from 518 to 267.
