Cybersecurity analysts recently uncovered a strategic move by pro-Russian hacking groups capitalizing on a newly exposed security loophole in the widely-used Winrar archiving utility. The exploit forms a crucial component of an elaborate phishing campaign designed to extract sensitive credentials from compromised systems.

Tactical Execution and Malicious Payloads

The assailants orchestrate the attack through ingeniously crafted archive files that leverage the disclosed vulnerability within WinRAR versions preceding 6.23, identified as CVE-2023-38831.

A report by Cluster25 shows that the weaponized archive harbors a PDF file. Once triggered, this seemingly innocent PDF sets in motion a Windows Batch script, initiating a cascade of PowerShell commands. This chain reaction ultimately results in a reverse shell, granting the attacker remote control over the targeted system.

Concurrently, a deployed PowerShell script takes center stage, harvesting data, including login credentials, from browsers such as Google Chrome and Microsoft Edge. The ill-gotten information is then discreetly funneled out via a seemingly legitimate web service known as webhook.

Zeroing in on CVE-2023-38831

The assigned CVE-2023-38831 denotes a critical flaw within WinRAR, providing malevolent actors with the capability to execute arbitrary code when attempting to view benign files within a ZIP archive. Group-IB’s findings from August 2023 indicate that this vulnerability transformed into a zero-day exploit as early as April 2023, featuring prominently in attacks aimed at traders.

Evolving Phishing Tactics and APT29’s Agenda

In a broader context, the surge in phishing activities aligns with Mandiant’s observations of APT29, a Russian nation-state actor, rapidly evolving its operations. This heightened tempo, coupled with a focus on Ukraine, was evident in the first half of 2023. Mandiant highlights substantial shifts in APT29’s tooling and tradecraft, likely orchestrated to support increased operational frequency and scope while complicating forensic analysis.

Ukrainian Cybersecurity Landscape

Against the backdrop of escalating cyber threats, Ukrainian Cybersecurity agencies report diverse threat clusters targeting domestic entities. Notable groups include UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), and others. Turla, implicated in deploying Capibar malware and the Kazuar backdoor, has maintained a persistent and sophisticated presence.

Security Hardening Pays Off

Encouragingly, CERT-UA’s records indicate progress in cybersecurity resilience, with a notable reduction in critical cyber incidents during the first half of 2023. This trend suggests a positive outcome of Security Hardening efforts, as reflected in the diminished impact of destructive cyber-attacks on operational integrity.