Russian hackers use Ngrok feature and WinRAR exploit to attack embassies

Trending 2 weeks ago

APT29 hackers mix Ngrok affection and WinRAR bug in attacks on admiral entities

After Sandworm and APT28 (known as Fancy Bear), addition state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks.

APT29 is tracked beneath altered names (UNC3524,/NobleBaron/Dark Halo/NOBELIUM/Cozy Bear/CozyDuke, SolarStorm) and has been targeting admiral entities with a BMW car auction lure.

The CVE-2023-38831 aegis blemish affects WinRAR versions afore 6.23 and allows crafting .RAR and .ZIP athenaeum that can assassinate in the accomplishments cipher able by the antagonist for awful purposes.

The vulnerability has been exploited as a zero-day since April by blackmail actors targeting cryptocurrency and banal trading forums.

Ngrok static area for awning comms

In a address this week, the Ukrainian National Security and Defense Council (NDSC) says that APT29 has been application a awful ZIP annal that runs a calligraphy in the accomplishments to appearance a PDF allurement and to download PowerShell cipher that downloads and executes a payload.

The awful annal is alleged “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf” and targeted assorted countries on the European continent, including Azerbaijan, Greece, Romania, and Italy.

BMW car ad from APT29 with WinRAR exploitRussian APT29 hackers use WinRAR bug in BMW car ad for diplomats
source: Ukrainian National Security and Defense Council

APT29 has acclimated the BMW car ad phishing allurement afore to target diplomats in Ukraine during a attack in May that delivered ISO payloads through the HTML smuggling technique.

In these attacks, the Ukrainian NDSC says that APT29 accumulated the old phishing tactic with a atypical address to accredit advice with the awful server.

NDSC says that the Russian hackers acclimated a Ngrok chargeless changeless area (a new feature Ngrok announced on August 16) to acceptance the command and ascendancy (C2) server hosted on their Ngrok instance.

“In this abominable tactic, they advance Ngrok's casework by utilizing chargeless changeless domains provided by Ngrok, about in the anatomy of a subdomain beneath "" These subdomains act as detached and camouflaged affair credibility for their awful payloads” - National Security and Defense Council of Ukraine

By application this method, the attackers managed to adumbrate their action and acquaint with compromised systems after actuality the accident of actuality detected.

Since advisers at cybersecurity aggregation Group-IB appear that the CVE-2023-38831 vulnerability in WinRAR was exploited as a zero-day, beat blackmail actors started to absorb it into their attacks.

Security advisers at ESET saw attacks in August attributed to the Russian APT28 hacker accumulation that exploited the vulnerability in a spearphishing attack that targeted political entities in the EU and Ukraine application the European Parliament agenda as a lure.

APT28 Russian hackers use WinRAR bug to ambition EU and Ukrainian political entitiesLure from Russian APT28 hackers with WinRAR accomplishment to ambition political entities
source: ESET

A report from Google in October addendum that the aegis affair was exploited by Russian and Chinese accompaniment hackers to abduct accreditation and added acute data, as able-bodied as to authorize chain on ambition systems.

The Ukrainian NDSC says that the empiric attack from APT29 stands out because it mixes old and new techniques such as the use of the WinRAR vulnerability to bear payloads and Ngrok casework to adumbrate advice with the C2.

The address from the Ukrainian agency provides a set of indicators of accommodation (IoCs) consisting of filenames and agnate hashes for PowerShell scripts and an email file, alternating with domains and email addresses.