Russian hackers use Ngrok feature and WinRAR exploit to attack embassies

Trending 2 weeks ago
  1. Home
  2. Technology
  3. Russian hackers use Ngrok feature and WinRAR exploit to attack embassies

APT29 hackers mix Ngrok affection and WinRAR bug in attacks on admiral entities

After Sandworm and APT28 (known as Fancy Bear), addition state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks.

APT29 is tracked beneath altered names (UNC3524,/NobleBaron/Dark Halo/NOBELIUM/Cozy Bear/CozyDuke, SolarStorm) and has been targeting admiral entities with a BMW car auction lure.

The CVE-2023-38831 aegis blemish affects WinRAR versions afore 6.23 and allows crafting .RAR and .ZIP athenaeum that can assassinate in the accomplishments cipher able by the antagonist for awful purposes.

The vulnerability has been exploited as a zero-day since April by blackmail actors targeting cryptocurrency and banal trading forums.

Ngrok static area for awning comms

In a address this week, the Ukrainian National Security and Defense Council (NDSC) says that APT29 has been application a awful ZIP annal that runs a calligraphy in the accomplishments to appearance a PDF allurement and to download PowerShell cipher that downloads and executes a payload.

The awful annal is alleged “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf” and targeted assorted countries on the European continent, including Azerbaijan, Greece, Romania, and Italy.

BMW car ad from APT29 with WinRAR exploitRussian APT29 hackers use WinRAR bug in BMW car ad for diplomats
source: Ukrainian National Security and Defense Council

APT29 has acclimated the BMW car ad phishing allurement afore to target diplomats in Ukraine during a attack in May that delivered ISO payloads through the HTML smuggling technique.

In these attacks, the Ukrainian NDSC says that APT29 accumulated the old phishing tactic with a atypical address to accredit advice with the awful server.

NDSC says that the Russian hackers acclimated a Ngrok chargeless changeless area (a new feature Ngrok announced on August 16) to acceptance the command and ascendancy (C2) server hosted on their Ngrok instance.

“In this abominable tactic, they advance Ngrok's casework by utilizing chargeless changeless domains provided by Ngrok, about in the anatomy of a subdomain beneath "ngrok-free.app." These subdomains act as detached and camouflaged affair credibility for their awful payloads” - National Security and Defense Council of Ukraine

By application this method, the attackers managed to adumbrate their action and acquaint with compromised systems after actuality the accident of actuality detected.

Since advisers at cybersecurity aggregation Group-IB appear that the CVE-2023-38831 vulnerability in WinRAR was exploited as a zero-day, beat blackmail actors started to absorb it into their attacks.

Security advisers at ESET saw attacks in August attributed to the Russian APT28 hacker accumulation that exploited the vulnerability in a spearphishing attack that targeted political entities in the EU and Ukraine application the European Parliament agenda as a lure.

APT28 Russian hackers use WinRAR bug to ambition EU and Ukrainian political entitiesLure from Russian APT28 hackers with WinRAR accomplishment to ambition political entities
source: ESET

A report from Google in October addendum that the aegis affair was exploited by Russian and Chinese accompaniment hackers to abduct accreditation and added acute data, as able-bodied as to authorize chain on ambition systems.

The Ukrainian NDSC says that the empiric attack from APT29 stands out because it mixes old and new techniques such as the use of the WinRAR vulnerability to bear payloads and Ngrok casework to adumbrate advice with the C2.

The address from the Ukrainian agency provides a set of indicators of accommodation (IoCs) consisting of filenames and agnate hashes for PowerShell scripts and an email file, alternating with domains and email addresses.

Related Article

Linux version of Qilin ransomware focuses on VMware ESXi

Linux version of Qilin ransomware focuses on VMware ESXi

8 hours ago
North Korea's state hackers stole $3 billion in crypto since 2017

North Korea's state hackers stole $3 billion in crypto since 2017

12 hours ago
Google is phasing out ad personalization for some AdSense products

Google is phasing out ad personalization for some AdSense products

13 hours ago
New proxy malware targets Mac users through pirated software

New proxy malware targets Mac users through pirated software

14 hours ago
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

1 day ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

1 day ago

Trending

1. Simone Biles
2. Joe Flacco
3. Christian McCaffrey
4. Cardinals
5. Chargers
6. Billie Eilish
7. Jets
8. College Football bowl games
9. Barcelona
10. Dolphins

Popular Article

5 saddest Christmas movies ever

5 saddest Christmas movies ever

16 hours ago
You Asked: Is Dolby Vision a must-have? And how to handle Atmos with irregular ceilings

You Asked: Is Dolby Vision a must-have? And how to handle Atmos with irregular ceilings

16 hours ago
San Francisco 49ers vs. Philadelphia Eagles live stream: watch the NFL for free

San Francisco 49ers vs. Philadelphia Eagles live stream: watch the NFL for free

18 hours ago
The Nothing Phones are discounted in Germany, you can get a Pixel phone too

The Nothing Phones are discounted in Germany, you can get a Pixel phone too

15 hours ago
The best investment apps for iPhone and Android in 2023

The best investment apps for iPhone and Android in 2023

15 hours ago
7 best SNL holiday skits, ranked

7 best SNL holiday skits, ranked

13 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.