Recent WinRAR Flaw Targeted by Pro-Russian Cyberattackers in New Initiative

    New Campaign by Pro-Russian Hackers Exploiting WinRAR Vulnerability

    A group of hackers with ties to Russia has initiated a new phishing campaign, taking advantage of a recently discovered security vulnerability in the WinRAR archiving utility. By using malicious archive files, the hackers exploit the vulnerability to collect login credentials from compromised systems. The attack involves a booby-trapped PDF file within the archive, which, when clicked, executes a Windows Batch script. This script then launches PowerShell commands, creating a reverse shell that gives the attacker remote access to the targeted system. Additionally, a PowerShell script is deployed to steal data, including login credentials, from browsers like Google Chrome and Microsoft Edge. The stolen information is then sent through a legitimate web service called webhook[.]site. The vulnerability being exploited, known as CVE-2023-38831, is a high-severity flaw in WinRAR that enables attackers to execute arbitrary code when attempting to view benign files within a ZIP archive.

    This latest campaign comes in the wake of increased phishing operations conducted by APT29, a Russian nation-state actor, with a focus on diplomatic entities, particularly those related to Ukraine. Mandiant, a company owned by Google, has observed APT29’s evolving tactics, which aim to hinder forensic analysis and support more frequent and expansive operations. Changes in their strategies include the use of compromised WordPress sites to host first-stage payloads, as well as additional obfuscation and anti-analysis components. APT29 is one of several hacking groups originating from Russia that have concentrated their efforts on Ukraine since the start of the war in early 2022.

    In addition, Ukrainian cybersecurity agencies have reported a list of threat actors, including the well-known Turla group, who have targeted domestic law enforcement agencies to gather information about Ukrainian investigations into war crimes committed by Russian soldiers. Turla has a history of sophisticated operations and continuously refines its tools and techniques.

    This campaign highlights the ongoing cyber threats faced by both Ukraine and diplomatic entities, as hackers take advantage of vulnerabilities in widely used software like WinRAR to gain unauthorized access to sensitive systems. It emphasizes the need for robust security measures and proactive monitoring to prevent such attacks.

    Latest articles

    Related articles