Cluster25 Threat Intel Team
October 12, 2023
Cluster25 observed and analyzed several phishing-based attacks to be linked to a Russia-nexus nation-State threat actor. The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831.
The lure file consists in a PDF document, contained in the archive, that shows a list of Indicator of Compromise (IoCs) with domain names and hashes related to different malware, including SmokeLoader, Nanocore RAT, Crimson RAT and AgentTesla. Due to the vulnerability, the click on the PDF file causes a BAT script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker the access to the targeted machine and a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. To exfiltrate the data, attackers uses the legit web service webhook[.]site.
The lure sample is an archive file named IOC_09_11.rar, probably with the intention of masquerading itself as a file to be used to share Indicators of Compromise (IoCs). The archive is crafted to exploit the WinRAR vulnerability traced as CVE-2023-38831: it contains a bogus PDF file named IOC_09_11.pdf with a trailing space character in its filename and a directory with the same name (including the trailing space) with the file named "IOC_09_11.pdf .cmd", which is a BAT script.
Content of the malicious RAR file
Due to the vulnerability, if the victim user has an installed version of the WinRAR software prior to 6.23, the opening of the bogus PDF file causes the BAT script to be executed. The BAT script first launches a background command of WinRAR to extract its content in the %TEMP% directory, then it deletes the script file from it and opens the PDF file to show the lure to the victim. The latter shows a list of IoCs containing domain names and hashes related to different malware, including SmokeLoader, Nanocore RAT, Crimson RAT and AgentTesla.
The script retrieves and decrypts the data, including the Login credentials, from the Google Chrome and Microsoft Edge browsers, then it sends it to the threat actor using the legit Webhook.site service, which allows users to set a unique URL and to obtain a log of requests or emails sent to it, so to inspect their content. The script performs a POST request with the retrieved data to the following URL, containing the unique token owned by the attacker:
According to the Cluster25 visibility and considering the sophistication of the infection chain, the attack could be related with low-to-mid confidence to the Russian state-sponsored group APT28 (aka Fancy Bear, Sednit).
MITRE ATT&CK MATRIX
|Initial Access||T1566.001||Phishing: Spearphishing Attachment|
|Execution||T1059.003||Command and Scripting Interpreter: Windows Command Shell|
|Execution||T1204.002||User Execution: Malicious File|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information|
|Discovery||T1082||System Information Discovery|
|Collection||T1005||Data from Local System|
|Command and Control||T1105||Ingress Tool Transfer|
|Command and Control||T1071||Application Layer Protocol|
|Command and Control||T1102||Web Service|
|Exfiltration||T1567||Exfiltration Over Web Service|
INDICATORS OF COMPROMISE