APT29, a Russian hacker group, has strategically employed the CVE-2023-38831 vulnerability in WinRAR in a series of cyberattacks targeting embassies. Known for its various aliases, including Cozy Bear and SolarStorm, APT29’s recent campaign has been notable for its sophisticated use of both old and new techniques.

The Exploited Vulnerability

  • CVE-2023-38831 in WinRAR: Affecting versions prior to 6.23, this flaw enables the creation of .RAR and .ZIP archives that execute malicious background code. This zero-day vulnerability has been actively exploited since April, initially targeting cryptocurrency and stock trading forums.

Attack Methodology

  • Malicious Archive: The campaign involves a malicious ZIP archive disguised as a PDF, titled “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf,” which has been distributed across European countries including Azerbaijan, Greece, Romania, and Italy.
  • Phishing and Payload Delivery: The attack displays a PDF lure and runs a background script to download and execute a PowerShell code, leading to the execution of the payload.
  • Use of Ngrok’s Feature: APT29 exploited Ngrok’s free static domain feature for covert communication with their command and control (C2) server, thus remaining undetected.

Tactics, Techniques, and Procedures (TTPs)

  • Exploitation for Client Execution (T1203): APT29 exploited the WinRAR vulnerability, a client-side application, to execute malicious code. This technique involves the manipulation of client software vulnerabilities to gain execution.
  • Phishing (T1566): Employing deceptive lures to deceive targets.
  • Command and Control (T1071): Utilizing Ngrok’s static domains for C2 communications.

Further Reading