The list of threat actors abusing a vulnerability in WinRAR that was first discovered last spring is continuing to grow, with the latest addition being APT29, a Russian state-sponsored threat actor also known as Cozy Bear or NOBELIUM.
This is according to the Ukrainian National Security and Defense Council (NDSC), which claims that it observed APT29 targeting government agencies with phishing emails that exploited CVE-2023-38831, BleepingComputer reports.
CVE-2023-38831 is a vulnerability in the popular archiving program, WinRAR, that was discovered in April this year. It allows hackers to create .RAR and .ZIP archives that can execute malicious code in the background, while the victim is busy reading the diversion files shared in the archive. The malware being dropped is mostly infostealers, grabbing passwords stored in browsers, classified documents, system information, and more.
Using Ngrok, too
In this instance, the attackers were targeting government organizations in Azerbaijan, Greece, Romania, and Italy, with fake BMW sales. Employees would get an email pretending to offer a diplomatic BMW car in good shape, and while they were busy reviewing the photos of the vehicle, the malware would install in the background.
The vulnerability affects WinRAR versions older than 6.23. The company that builds the product, RAR Labs, released a patch a few months ago, which all users are advised to install.
This attack is also unique because the attackers came up with a new way to communicate with the C2 server. AS per NDSC, Cozy Bear used a Ngrok free static domain to access the C2 server hosted on their Ngrok instance.
“In this nefarious tactic, they utilize Ngrok’s services by utilizing free static domains provided by Ngrok, typically in the form of a subdomain under “ngrok-free.app.” These subdomains act as discrete and inconspicuous rendezvous points for their malicious payloads,” the organization said.
Last summer, besides Russian hackers, researchers also spotted the Chinese abusing the WinRAR flaw as well.