Pro-Russian Hackers Exploiting New WinRAR Vulnerability in Phishing Campaign

In a targeted phishing campaign designed to extract sensitive credentials from compromised computers, pro-Russian hacking groups have leveraged a recently identified security flaw in the WinRAR archiving software, granting them unauthorized access to systems.

“The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831,” Cluster25 stated in a study that was released last week.

A PowerShell script has also been installed, capable of extracting valuable data, including login passwords, from both Google Chrome and Microsoft Edge web browsers. The information is then discreetly transmitted through a seemingly legitimate web service, webhook[.]site.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

When attempting to access a seemingly benign file within a ZIP archive, malicious actors exploit a critical weakness in WinRAR, identified by the CVE identifier CVE-2023-38831. This vulnerability allows them to execute arbitrary code. Group-IB’s findings in August 2023 uncovered that this flaw had been employed as a zero-day vulnerability in attacks targeting traders as early as April 2023.

This recent revelation coincides with a report from Mandiant, a subsidiary of Google, shedding light on the “rapidly evolving” phishing operations of the Russian nation-state actor APT29. Their efforts, notably prioritizing Ukraine, intensified during the first half of 2023, mainly targeting diplomatic entities.

This new revelation comes at the same time as a report by the company Mandiant, which is owned by Google, mapped out Russian nation-state actor APT29’s “rapidly evolving” phishing operations targeting diplomatic bodies in the first half of 2023. These efforts placed a priority on Ukraine.

The organization has pointed out that the extensive modifications made to APT29’s tools and techniques are “likely designed to support the increased frequency and scope of operations and hinder forensic analysis.” The group has “used various infection chains simultaneously across different operations.”

Moreover, they have introduced additional layers of obfuscation and anti-analysis measures. A notable enhancement is the utilization of compromised WordPress websites to host the initial-stage payloads, marking a significant shift in their approach.

APT29, associated with cloud-focused exploitation, is among the various activity clusters originating from Russia that have specifically targeted Ukraine since the onset of the conflict last year. APT29’s focus has been on the cloud-based infrastructure of Ukrainian organizations.

In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed espionage attacks on Ukrainian defense assets to Turla. The assaults were executed utilizing the Capibar virus and the Kazuar backdoor.

“The Turla organization is a dogged enemy with a protracted history of operations.” According to a recent assessment by Trend Micro, “Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives.” “Turla has continuously developed its tools and techniques over years and will likely keep on refining them.”

A study published just a month ago by Ukrainian cybersecurity authorities revealed that threat actors with ties to the Kremlin aimed at gathering intelligence from domestic law enforcement agencies. Their objective was to obtain information regarding Ukrainian investigations into war crimes perpetrated by Russian soldiers.

“In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), [and] UAC-0107 (CyberArmyofRussia),” as highlighted by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).

During the first half of 2023, CERT-UA reported 27 “critical” cyber incidents, signalling a significant decrease from the 144 incidents in the second half of 2022 and 319 incidents in the first half of 2022. Notably, the number of destructive cyberattacks impacting operations decreased from 518 to a total of 267.