APT29, a state-sponsored Russian hacking group known by various aliases (UNC3524, NobleBaron, Dark Halo, NOBELIUM, Cozy Bear, CozyDuke, SolarStorm), has emerged wielding the CVE-2023-38831 vulnerability in WinRAR as a potent weapon in its cyber arsenal.
This sophisticated group, infamous for its association with Sandworm and APT28 (Fancy Bear), is now making waves with a novel approach to infiltrate systems.
Zero-Day Exploitation Unleashed
The CVE-2023-38831 security flaw, affecting WinRAR versions prior to 6.23, allows the creation of .RAR and .ZIP archives capable of executing background code for malicious purposes. APT29, in a strategic move, has been exploiting this zero-day vulnerability since April, targeting cryptocurrency and stock trading forums with remarkable precision.
BMW Car Sale Lure and Diplomatic Phishing Tactics
Under the guise of enticing BMW car sales, APT29 has cleverly utilized a malicious ZIP archive, titled “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf.” This archive executes a script in the background, presenting a PDF lure and initiating the download of PowerShell code that ultimately deploys a malicious payload. The targets, spanning countries such as Azerbaijan, Greece, Romania, and Italy, highlight the group’s strategic focus on diplomatic entities.
Ngrok Dynamics: A Stealthy Communication Channel
The Ukrainian National Security and Defense Council (NDSC) sheds light on APT29’s advanced tactics. Leveraging Ngrok’s services, the Russian hackers utilize a free static domain to access their command and control (C2) server hosted on their Ngrok instance. This method acts as a discreet rendezvous point, allowing APT29 to communicate with compromised systems covertly, evading detection.
Blurring the Lines: Mixing Old and New Techniques
What sets APT29 apart is its adept fusion of traditional and innovative techniques. The integration of the WinRAR vulnerability to deliver payloads and the use of Ngrok services for concealed communication with the C2 server showcase the group’s adaptability and cunning approach.
The Ukrainian NDSC report provides crucial indicators of compromise (IoCs), offering a roadmap for cybersecurity experts to navigate this complex threat landscape.