Some groups of pro-Russian hackers exploited a security vulnerability related to the application WinRAR.
This exploit has in fact become an integral part of a massive campaign phishingspecifically designed to collect as many credentials as possible from compromised systems.
According to the recent report by Cluster25 “The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting WinRAR compression software versions prior to 6.23 and tracked as CVE-2023-38831“.
The archive contains a file PDF con malicious code. If the file is activated, it causes a script to run Windows Batchwhich starts i comandi PowerShell to open a shell that gives the attacker remote access to the targeted host.
A PowerShell script that steals data from browsers is also distributed Google Chrome e Microsoft Edge. The acquired information is then exfiltrated and collected by the authors of the campaign.
The new WinRAR vulnerability already exploited in the past by pro-Russian hackers
CVE-2023-38831 is a vulnerability considered high severity, which allows attackers to execute malicious code when the victim attempts to view a benign file within a ZIP archive. According to research by Group-IB in August 2023, this exploit was already used in some attacks during April 2023.
During that time, the vulnerability was involved in some activities of the infamous group APT29during operations linked in some way to the conflict between Russia and Ukraine.
Compared to these attacks, however, the current phishing campaign is different. Today, in fact, sites are used WordPress compromises to accommodate i payloadas well as some very refined techniques regarding the obfuscation of malicious files.
According to Computer Emergency Response Team of Ukraine (CERT-UA), the same vulnerability was committed by the group The towerlast July, to spread the malware Capibar backdoor Caused. All in cyber espionage operations, always in the context of war.
Per Trend Micro “The Turla group is a persistent adversary with a long history of activity. Their origins, tactics and objectives all point to a well-funded operation with highly trained operators“. The same experts then added how “Turla has continually developed his tools and techniques over the years and will likely continue to refine them“.