Russian APT29 use WinRAR Vulnerability and Ngrok in Recent Embassy Cyberattacks

by | Nov 20, 2023 | News




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

The state-sponsored Russian hacker group APT29, also known as Cozy Bear, has strategically exploited the CVE-2023-38831 vulnerability in WinRAR. Following in the footsteps of Sandworm and APT28, APT29, infamous for its various aliases, including NobleBaron and SolarStorm, has orchestrated targeted attacks on embassy entities, cleverly using a BMW car sale lure. The CVE-2023-38831 flaw, affecting WinRAR versions prior to 6.23, permits the creation of archives executing background code for malicious purposes. This zero-day vulnerability has been actively exploited since April, primarily targeting cryptocurrency and stock trading forums.

According to a report by the Ukrainian National Security and Defense Council (NDSC), APT29’s latest campaign involves a malicious ZIP archive masquerading as a PDF titled “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf.” This lure has been strategically deployed across multiple European countries, including Azerbaijan, Greece, Romania, and Italy. APT29’s intricate tactics include running a script in the background, displaying the PDF lure, and initiating the download of PowerShell code that executes a payload.

BMW car ad from APT29 with WinRAR exploitRussian APT29 hackers use WinRAR bug in BMW car ad for diplomats
source: Ukrainian National Security and Defense Council

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

What makes this campaign stand out is the fusion of old and new techniques. APT29 has resurrected its BMW car ad phishing lure, previously seen in a May campaign targeting diplomats in Ukraine, combining it with a sophisticated method to communicate with a malicious server. Notably, the Russian hackers utilized Ngrok’s free static domain feature to access the command and control (C2) server hosted on their Ngrok instance, providing discrete rendezvous points for their malicious payloads. This technique enhances their ability to remain undetected while communicating with compromised systems.

This cyber onslaught, as observed by the Ukrainian agency, marks a significant evolution in APT29’s playbook. The WinRAR vulnerability, flagged by cybersecurity experts as a zero-day risk, has become a preferred tool for advanced threat actors. 




APT28, another Russian hacker group, was also identified exploiting the same flaw in spearphishing campaigns targeting political entities in the EU and Ukraine.

APT28 Russian hackers use WinRAR bug to target EU and Ukrainian political entitiesLure from Russian APT28 hackers with WinRAR exploit to target political entities
source: ESET

The blend of WinRAR vulnerabilities and the discreet use of Ngrok services to obfuscate C2 communication makes APT29’s campaign a noteworthy development in the ever-evolving landscape of state-sponsored cyber threats.

The Ukrainian NDSC report includes a set of indicators of compromise (IoCs), offering insights into filenames, hashes, domains, and email addresses associated with this sophisticated cyber espionage operation.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This