Recently, pro-Russian cybercriminals have been found to be exploiting a newly identified security flaw in the WinRAR archiving utility. This is part of a phishing campaign with the primary objective of stealing credentials from infiltrated systems. Cluster25, in a report published last week, stated, "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831."
The archive used in the attack contains a rigged PDF file. When a user clicks on this file, it triggers a Windows Batch script, which then executes PowerShell commands to open a reverse shell. This provides the attacker with remote access to the targeted host system. Alongside this, a PowerShell script is deployed that steals data, such as login credentials, from the Google Chrome and Microsoft Edge browsers. The stolen data is then exfiltrated through a legitimate web service webhook[.]site.
The CVE-2023-38831 refers to a high-severity flaw in WinRAR that enables attackers to execute arbitrary code when trying to view an innocent file within a ZIP archive. Group-IB revealed in August 2023 that this bug had been weaponized as a zero-day since April 2023 in attacks aimed at traders.
Google-owned Mandiant has been tracking the phishing operations of Russian nation-state actor APT29, which have been rapidly evolving and have primarily targeted diplomatic entities. There has been a significant increase in the frequency and scope of these operations, with a particular focus on Ukraine in the first half of 2023. "The substantial changes in APT29's tooling and tradecraft are "likely designed to support the increased frequency and scope of operations and hinder forensic analysis," the company said.
APT29, which has also been linked to cloud-focused exploitation, is one of many activity clusters originating from Russia that have targeted Ukraine since the onset of the war early last year. In July 2023, Ukraine's Computer Emergency Response Team (CERT-UA) accused Turla of using the Capibar malware and Kazuar backdoor in espionage attacks on Ukrainian defense assets. Trend Micro recently reported, "The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives."
Ukrainian cybersecurity agencies reported last month that Kremlin-backed threat actors targeted domestic law enforcement entities to gather information about Ukrainian investigations into war crimes committed by Russian soldiers. The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) named several active groups in 2023, including UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), and UAC-0107 (CyberArmyofRussia). CERT-UA recorded a decrease in "critical" cyber incidents in H1 of 2023, compared to the second half of 2022 and the first half of 2022.