More WinRar security flaws are being exploited to attack foreign embassies

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

The list of threat actors abusing a vulnerability in WinRAR that was first discovered last spring is continuing to grow, with the latest addition being APT29, a Russian state-sponsored threat actor also known as Cozy Bear or NOBELIUM.

This is according to the Ukrainian National Security and Defense Council (NDSC), which claims that it observed APT29 targeting government agencies with phishing emails that exploited CVE-2023-38831, BleepingComputer reports.

CVE-2023-38831 is a vulnerability in the popular archiving program, WinRAR, that was discovered in April this year. It allows hackers to create .RAR and .ZIP archives that can execute malicious code in the background, while the victim is busy reading the diversion files shared in the archive. The malware being dropped is mostly infostealers, grabbing passwords stored in browsers, classified documents, system information, and more.


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Using Ngrok, too

In this instance, the attackers were targeting government organizations in Azerbaijan, Greece, Romania, and Italy, with fake BMW sales. Employees would get an email pretending to offer a diplomatic BMW car in good shape, and while they were busy reviewing the photos of the vehicle, the malware would install in the background.

The vulnerability affects WinRAR versions older than 6.23. The company that builds the product, RAR Labs, released a patch a few months ago, which all users are advised to install. 

This attack is also unique because the attackers came up with a new way to communicate with the C2 server. AS per NDSC, Cozy Bear used a Ngrok free static domain to access the C2 server hosted on their Ngrok instance.

“In this nefarious tactic, they utilize Ngrok's services by utilizing free static domains provided by Ngrok, typically in the form of a subdomain under "ngrok-free.app." These subdomains act as discrete and inconspicuous rendezvous points for their malicious payloads,” the organization said.

Last summer, besides Russian hackers, researchers also spotted the Chinese abusing the WinRAR flaw as well.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.