Russian Hackers Abuse Ngrok Feature and WinRAR Exploit in Embassy Attacks

Written by Gabby Lee

November 20, 2023

Russian Hackers Abuse Ngrok Feature and WinRAR Exploit in Embassy Attacks

APT29, a state-sponsored Russian hacking group known by various aliases (UNC3524, NobleBaron, Dark Halo, NOBELIUM, Cozy Bear, CozyDuke, SolarStorm), has emerged wielding the CVE-2023-38831 vulnerability in WinRAR as a potent weapon in its cyber arsenal.

This sophisticated group, infamous for its association with Sandworm and APT28 (Fancy Bear), is now making waves with a novel approach to infiltrate systems.

Zero-Day Exploitation Unleashed

The CVE-2023-38831 security flaw, affecting WinRAR versions prior to 6.23, allows the creation of .RAR and .ZIP archives capable of executing background code for malicious purposes. APT29, in a strategic move, has been exploiting this zero-day vulnerability since April, targeting cryptocurrency and stock trading forums with remarkable precision.

BMW Car Sale Lure and Diplomatic Phishing Tactics

Under the guise of enticing BMW car sales, APT29 has cleverly utilized a malicious ZIP archive, titled “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf.” This archive executes a script in the background, presenting a PDF lure and initiating the download of PowerShell code that ultimately deploys a malicious payload. The targets, spanning countries such as Azerbaijan, Greece, Romania, and Italy, highlight the group’s strategic focus on diplomatic entities.

Russian Hackers Abuse Ngrok Feature and WinRAR Exploit in Embassy Attacks

Ngrok Dynamics: A Stealthy Communication Channel

The Ukrainian National Security and Defense Council (NDSC) sheds light on APT29’s advanced tactics. Leveraging Ngrok’s services, the Russian hackers utilize a free static domain to access their command and control (C2) server hosted on their Ngrok instance. This method acts as a discreet rendezvous point, allowing APT29 to communicate with compromised systems covertly, evading detection.

Blurring the Lines: Mixing Old and New Techniques

What sets APT29 apart is its adept fusion of traditional and innovative techniques. The integration of the WinRAR vulnerability to deliver payloads and the use of Ngrok services for concealed communication with the C2 server showcase the group’s adaptability and cunning approach.

The Ukrainian NDSC report provides crucial indicators of compromise (IoCs), offering a roadmap for cybersecurity experts to navigate this complex threat landscape.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!