APT29 Tactics: Car Sale Lures Exploiting WinRAR Vulnerability

Category: Threat Actor Activity | Industries: Government, Telecommunications | Sources: Google TAG, Mandiant, NCSCC, Unit 42

Ukraine's National Cyber Security Coordination Center (NCSCC) has uncovered targeted cyber operations conducted by the Russian threat group APT29, also known as Cloaked Ursa, Cozy Bear, Midnight Blizzard, or Blue Bravo. Operating between April and October 2023, APT29 concentrated its efforts on infiltrating European embassies, with Azerbaijan, Greece, Romania, and Italy among the affected nations. With heightened interest in the Ministry of Foreign Affairs in Azerbaijan and Italy. Beyond embassies, the telecommunications provider, Otenet located in Greece was also in-scope.

The threat actors targeted an excess of 200 email addresses using a lure of vehicle sales. This lure was also reported earlier this year in May 2023 by researchers from Unit 42. Attachments accompanying the phishing email include a ZIP and PDF document specifically aimed to exploit WinRAR vulnerability CVE-2023-38831. According to NCSCC's assessment, APT29 had been leveraging this exploit since April 2023. Upon successful exploitation, a PowerShell script is executed to download and initiate the next-stage payload. Ngrok was also utilized to provide stealth through its tunneling capabilities. "Notably, the attackers introduced a novel technique for communicating with the malicious server, employing a Ngrok free static domain to access their server hosted on their Ngrok instance."

Google TAG observed the exploitation of CVE-2023-38831, since the second quarter of 2023 and attributed to both Russian and Chinese APT groups, underscoring the importance of timely patching and focusing detection efforts on frequently targeted vulnerabilities. Recent incidents, such as Sandworm's disruption of Ukraine's power station and the findings from NCSCC, serve as stark reminders of the advanced capabilities possessed by Russian cyber actors.