Newsletter
APT29, a Russian-backed hacking group known as CozyBear, has launched its latest cyber-attack, this time using a fake BMW advertisement that exploits a WinRAR vulnerability known as CVE-2023-38831. APT29 targets high-profile individuals to gather intelligence on foreign governments. In this attack, the group targeted multiple European embassies with an altered version of an attack they had previously used.
WinRAR is a popular file archiver tool for Windows that allows users to compress and decompress files, making it easier to transfer large files over the internet. Recently, experts discovered a vulnerability in WinRAR (CVE-2023-38831) that allows attackers to execute arbitrary code when a user attempts to view a harmless file within a ZIP archive. The exploit occurs when a harmless file and a folder inside the zip share the same name. When attempting to access the file, the contents of the folder (which may contain executable content) are processed, leading to the issue.
APT29 exploits this vulnerability and Ngrok to communicate with a command and control (C2) server. Ngrok is a legitimate tool that allows users to expose local network ports to the internet securely. However, despite its intended use, Ngrok’s capabilities can be used to evade network protections. Specifically, APT29 accessed a C2 server by taking advantage of Ngrok’s free static domains. They utilized the client’s system to generate free static domains, creating a persistent and inconspicuous link to their C2 server.
Russian hacking group APT29 exploits WinRAR vulnerability and Ngrok services with a fake BMW ad
The Russian-linked APT29 first sent phishing emails with a fake BMW ad to hundreds of employees across many embassies. The email contained a zip file called “DIPLOMATIC-CAR-FOR-SALE-BMW.rar,” which had a PDF called “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf.” When a user opens the malicious zip folder, a script is run through the WinRAR exploit, which displays a PDF lure of a BMW car sale advertisement. In the background, the folder runs shell code to download and execute payloads. The group uses Ngrok services to communicate the information the payload records back to the threat actors.
The combination of the relatively new WinRAR vulnerability and previously exploited Ngrok services presents a unique way to utilize two different techniques to launch a comprehensive cyber-attack. Russian-backed hacking groups have seen an uptick in activity during times of geopolitical tension. The affected countries were Azerbaijan, Greece, Romania, and Italy, so we will see if tensions rise in those regions shortly.