HQ/EMEAFind out how we can help your business
Multiple Russian hacking group affiliates have taken advantage of a recently revealed WinRAR flaw.
Based on reports, Russian hackers execute these campaigns for phishing purposes to collect login credentials from compromised systems. The researchers noted that these attacks rely on malicious archive files that exploit a recently discovered vulnerability in WinRAR versions before 6.23, identified as CVE-2023-38831.
These malicious archives contain an obfuscated PDF file that, when opened, activates the execution of a Windows Batch script. This script could launch PowerShell commands to run a reverse shell granting hackers remote access to the targeted host.
Next, these threat actors employ a PowerShell script to steal data from web browsers like Google Chrome and Microsoft Edge, including login credentials. They would then exfiltrate the stolen data discreetly through a legitimate web service called webhook[.]site.
The cybercriminal campaigns that used the WinRAR flaw have allegedly targeted traders.
The WinRAR flaw (CVE-2023-38831) is a significant security flaw that allows hackers to execute arbitrary code when attempting to view a seemingly harmless file within a ZIP archive.
A recent report revealed that the initial hackers exploited this vulnerability as a zero-day since April 2023 to execute an attack that targets traders.
These details seemingly correspond to separate research about the Russian state-sponsored APT29’s rapidly evolving phishing operations focusing on diplomatic entities. Researchers noted a significant increase in these operations, particularly in Ukraine, during the first half of 2023.
APT29 has introduced new changes in its TTPs, presumably to support its activities’ increased frequency and scope and bypass forensic analysis. Some of the noteworthy alterations include the use of compromised WordPress sites for hosting initial-stage payloads and additional measures for obfuscation and anti-analysis.
Furthermore, APT29 is one of several Russia-speaking threat groups with active cybercriminal campaigns compromising Ukraine since the start of the geopolitical conflict last year.
A few months ago, CERT-UA linked Turla in attacks employing the Capibar malware and Kazuar backdoor for espionage activities against Ukrainian defensive assets. Therefore, these Russian threat actors are still upgrading their campaigns to compromise Ukraine while other authorities and researchers focus on the new ensuing war in the Middle East.
