APT29, another Russian state-sponsored hacker group, is launching cyberattacks using the CVE-2023-38831 vulnerability in WinRAR. The group, also known as UNC3524, NobleBaron, Dark Halo, NOBELIUM, Cozy Bear, CozyDuke, and SolarStorm, has been targeting embassies using a BMW car sale lure. The CVE-2023-38831 security flaw, which affects WinRAR versions before 6.23, allows for the creation of .RAR and .ZIP archives that can execute malicious code in the background. This vulnerability has been exploited since April by threat actors targeting cryptocurrency and stock trading forums.
The Ukrainian National Security and Defense Council (NDSC) reported this week that APT29 has been using a malicious ZIP archive that runs a script in the background to display a PDF lure and to download PowerShell code that downloads and executes a payload. The malicious archive, named “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf”, has targeted several European countries, including Azerbaijan, Greece, Romania, and Italy. APT29 has previously used the BMW car ad phishing lure to target diplomats in Ukraine, delivering ISO payloads through the HTML smuggling technique.
In these attacks, APT29 combined this old phishing tactic with a new technique to enable communication with the malicious server. The NDSC reports that the Russian hackers used a Ngrok free static domain, a new feature announced by Ngrok on August 16, to access the command and control (C2) server hosted on their Ngrok instance. “In this nefarious tactic, they utilize Ngrok's services by utilizing free static domains provided by Ngrok, typically in the form of a subdomain under 'ngrok-free.app.' These subdomains act as discrete and inconspicuous rendezvous points for their malicious payloads” - National Security and Defense Council of Ukraine. By using this method, the attackers were able to conceal their activity and communicate with compromised systems without being detected.
Cybersecurity company Group-IB reported that the CVE-2023-38831 vulnerability in WinRAR was exploited as a zero-day, and advanced threat actors have since incorporated it into their attacks. In August, security researchers at ESET observed attacks attributed to the Russian APT28 hacker group that exploited the vulnerability in a spearphishing campaign targeting political entities in the EU and Ukraine using the European Parliament agenda as a lure. A report from Google in October notes that this security issue was exploited by Russian and Chinese state hackers to steal credentials and other sensitive data and to establish persistence on target systems.
The NDSC states that the APT29 campaign stands out for its combination of old and new techniques, such as the use of the WinRAR vulnerability to deliver payloads and Ngrok services to conceal communication with the C2. The Ukrainian agency's report provides a set of indicators of compromise (IoCs), including filenames and corresponding hashes for PowerShell scripts and an email file, along with domains and email addresses.