Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.

“The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831,” Cluster25 said in a report published last week.

The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host.

Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook[.]site.

CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows attackers to execute arbitrary code upon attempting to view a benign file within a ZIP archive. Findings from Group-IB in August 2023 disclosed that the bug had been weaponized as a zero-day since April 2023 in attacks targeting traders.

The development comes as Google-owned Mandiant charted Russian nation-state actor APT29’s “rapidly evolving” phishing operations targeting diplomatic entities amid an uptick in tempo and an emphasis on Ukraine in the first half of 2023.

The substantial changes in APT29’s tooling and tradecraft are “likely designed to support the increased frequency and scope of operations and hinder forensic analysis,” the company said, and that it has “used various infection chains simultaneously across different operations.”

Some of the notable changes include the use of compromised WordPress sites to host first-stage payloads as well as additional obfuscation and anti-analysis components.

AT29, which has also been linked to cloud-focused exploitation, is one of the many activity clusters originating from Russia that have singled out Ukraine following the onset of the war early last year.

In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated Turla in attacks deploying the Capibar malware and Kazuar backdoor for espionage attacks on Ukrainian defensive assets.

“The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives,” Trend Micro disclosed in a recent report. “Turla has continuously developed its tools and techniques over years and will likely keep on refining them.”

Ukrainian cybersecurity agencies, in a report last month, also revealed that Kremlin-backed threat actors targeted domestic law enforcement entities to collect information about Ukrainian investigations into war crimes committed by Russian soldiers.

“In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), [and] UAC-0107 (CyberArmyofRussia),” the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said.

In what’s seen as an outcome of security hardening efforts, CERT-UA recorded 27 critical cyber incidents in the first half of 2023, compared to 144 in the second half of 2022 and 319 in the first half of 2022. In total, destructive cyber-attacks affecting operations fell from 518 to 267.