APT29 ATTACKS EMBASSIES USING CVE-2023-38831 Executive Summary In this report we unveil a sophisticated cyberattack orchestrated by APT29 an advanced persistent threat group linked to Russia's Foreign Intelligence Service SVR The targets of this attack spanned multiple European nations including Azerbaijan Greece Romania and Italy with the primary goal of infiltrating embassy entities APT29 leveraged a newly discovered vulnerability in WinRAR identified as CVE-2023-38831 to facilitate their intrusion This report delves into the intricate details of these cyber operations shedding light on the attackers' tactics techniques and procedures APT29 ingeniously employed benign-looking lures in the form of enticing BMW car sale photos and documents expertly crafted to draw in unsuspecting victims The lure documents contained hidden malicious content that exploited the WinRAR vulnerability granting attackers access to the compromised systems This campaign exemplifies the evolving nature of cyber threats and the persistent endeavors of nation-state-sponsored actors to compromise critical entities The insights within this report aim to raise awareness about the complex threat landscape faced by diplomatic missions and organizations ultimately fostering a proactive approach to cybersecurity defense Geopolitical Implications At the outset of September 2023 the infamous APT29 affiliated with Russia's SVR embarked on a sweeping cyber offensive that cast a wide net targeting embassies international organizations and even internet service providers Their primary focus rested on diplomatic accounts with the Ministry of Foreign Affairs MFA in Azerbaijan and Italy bearing the brunt of the onslaught Additionally embassies situated in Greece and Romania along with the email accounts of a prominent Greek ISP Otenet were also among the numerous targets The list of victims extended to encompass major international organizations emphasizing the audacity and scope of this campaign 0 Figure 1 Map of countries with the most targeted accounts Domain Organization @gccsg org Secretariat General of the Gulf Cooperation Council @ec europa eu European Commission @unhcr org United Nations High Commissioner for Refugees @unicef org United Nations International Children's Emergency Fund @auf org Agence universitaire de la Francophonie @francophonie org Organisation Internationale de la Francophonie OIF @iom int International Organization for Migration @worldbank org The World Bank @selec org Southeast European Law Enforcement Center @coe int Council of Europe @euro who int World Health Organization European Region Table 1 List of international organizations targeted in APT29 campaign The geopolitical implications are profound Among the several conceivable motives one of the most apparent aims of the SVR might be to gather intelligence concerning Azerbaijan's strategic activities especially in the lead-up to the Azerbaijani invasion of Nagorno-Karabakh It's noteworthy that the countries targeted—Azerbaijan Greece Romania and Italy—maintain significant political and economic ties with Azerbaijan In a noteworthy development Azerbaijan had recently struck an agreement to procure military aircraft from Italy marking a rare arms deal with a Western nation The attack methodology entailed the use of phishing emails equipped with enticing lures portraying BMW car sales which is a tactic previously employed by APT29 in attacks on embassies in Kyiv This campaign consisting of over 200 targeted email addresses accentuates the evolving nature of cyber threats in the international arena Abid Mernmedov Car for sale To Dear colleagues Please find in attachment an announcement for diplomatic car sale II OIPLOMATICCAR - F MW rnr Figure 2 APT29 phishing email with BMW car for sale theme 0 HKUK Old And New Tactics APT29's persistence in using the BMW car for sale theme as a lure in their phishing attacks has taken on a new dimension with the deployment of a thematically named RAR archive DIPLOMATIC-CAR-FOR-SALE-BMW rar This archive contains a recently disclosed and exploitable vulnerability CVE-2023-38831 This vulnerability which came to light in April 2023 is rooted in the mishandling of ZIP archives that seemingly contain innocuous files like standard PDF documents and folders sharing identical names The core issue lies in the archives where threat actors can surreptitiously insert folders with matching names When an unsuspecting user attempts to access one of the benign files the ZIP archive may contain a similarly named folder concealing executable content often hosting malware or other malicious code In the course of the user's effort to open the harmless file the system unwittingly processes the concealed malicious content within the folder with a matching name thus enabling the execution of arbitrary code In the context of this particular attack a script is executed generating a PDF file featuring the lure theme of a BMW car for sale Simultaneously in the background a PowerShell script is downloaded and executed from the next-stage payload server Notably the attackers introduced a novel technique for communicating with the malicious server employing a Ngrok free static domain to access their server hosted on their Ngrok instance DIPLOMATIC CAR FOR SALE BMW I F10 5Series Sedan 528i xDrive Price Year City Brand Model 2016 Ankara BMW S Series Km 115000 KM Fuel type Engine Power Color Body Style Transmission Cylinder Volume Specifications 28 000 EUR Benzin 258 hp Grey Sedan Automatic 2000 cm' cc ABS Locks Alarms Dri er Airbag Passenger Airbag Fog Shadow leather Seals Figure 3 “DIPLOMATIC-CAR-FOR-SALE-BMW pdf” lure document • f ' •' r • f'· • ' r '· 14 13 1-1 l' 1 I' 1-1 d l '· s 1 1 1'-i 1 J 1 2F A ' 1-l •i ' •1 'n V l f l ff' I o fl L HI -1 1 U 'U - c ·1 1 J i 62 BC ll'J 83 30 H Al rn El 61 rn 90 li2 IH 4' LJ h ' 0 HE ' · ' i' i __ ' llllf '3 H _f H 'iO Ai -lb bl rlll 8 ' dl 01 ll M i 1 - 3 6 U 1' 'l ti WJ R fif Gf f•C • iC'f' f•x l ' r ' • ' jlPI O '- TIC i - 1-- · It I ' r· · •P 'i-J r · Ju• - i' L y • J •1'' •' lt l f 011 Tr · R r R-S lf' f' J- • p -' 71 · 0 _I _ Q- f 8_-S il I' M jt ' iA llt ihl ur WJ I·' M· M 1 11' - b l -1 JP - l ' U1 ' ' J 12 l hi IJ 1 i ·- 77 r 'J A' i l 'JO -1 tl l l tt-1 -3 -il r·1 10 i 18 l 11 'if ° ti I ' J 'I I_ 1 AB ' t' l 5 • IJl S 'Jl Li H ' d 3 -' _rl rn fl I 3 --l H 1 8 l·n ·E '_ill ll i o -1 -1' ' J Ii• 4 p • 1 i 1 f S1 h r 3 t ltl 22 Hl 18 8 -1 1 0 OB BR -111 L1P t l P ti l ib A RR ' ·t f1 _ ' · 1 3 f -P ·1'ri' t·• f tJ• --•- Ut - r• • · •L-C 1 1 - 1 '· n •• 1n 1 'h 1 · '' ' H lb- 3 1- l-l3l • q1 -_ 'CC dL•J'L• l' Figure 4 PowerShell script deploying pdf lure and downloading next-stage payload from ngrok-free app Ngrok at its core is an incredibly versatile and cross-platform tool designed to expose local network ports securely to the internet through a process known as tunneling However in the context of cyber adversaries Ngrok has taken on a different role Instead of legitimate purposes adversaries have begun leveraging Ngrok to store their next-stage PowerShell payloads and establish covert communication channels In this nefarious tactic they utilize Ngrok's services by utilizing free static domains provided by Ngrok typically in the form of a subdomain under ngrok-free app These subdomains act as discrete and inconspicuous rendezvous points for their malicious payloads This clever adaptation allows the adversaries to obfuscate their activities and communicate with compromised systems while evading detection By exploiting Ngrok's capabilities in this manner threat actors can further complicate cybersecurity efforts and remain under the radar making defense and attribution more challenging CVE-2023-38831 A critical security flaw identified as CVE-2023-38831 has been discovered in earlier versions of RARLab's WinRAR software specifically those released prior to version 6 23 This vulnerability poses a significant threat as it allows attackers to execute arbitrary code through the exploitation of a specially crafted ZIP archive The root cause of this vulnerability lies in the incorrect handling of ZIP archives that contain seemingly benign files such as standard PDF documents alongside folders bearing identical names The crux of the issue is that within these archives malicious actors can insert folders with matching names When a user attempts to access one of the harmless files the ZIP archive may include a folder with the same name that contains executable content often malware or other malicious code During the user's attempt to open the benign file the system unwittingly processes the malicious content within the similarly named folder resulting in the execution of arbitrary code DIPLOMATIC-CAR-FOR-SALE-BM iV rar - ZIP archive 1 m p acked size 7 990 203 bytes Nam e DIPLOMATIC -CAR-FOR-SALE-BM iV pdf D DIPLOMATIC -CAR-FOR-SALE-BMW pdf Figure 5 WinRAR archive exploiting CVE-2023-38831 This vulnerability has not remained merely theoretical it has been actively exploited in real-world incidents These attacks have been observed occurring between April and October of 2023 Attackers utilize this vulnerability to craft malicious ZIP archives and distribute them via various channels such as email attachments or compromised websites Unsuspecting users who open these seemingly benign files can unknowingly trigger the execution of malicious code granting attackers access to the victim's system and potentially leading to a host of detrimental consequences including data theft system compromise and more The PoC of this vulnerability is publicly available In August 2023 ESET researchers discovered another spearphishing campaign attributed to Sednit APT exploiting the CVE-2023-38831 vulnerability in WinRAR Sednit also known as APT28 a threat actor group closely associated with the Russian military intelligence agency GRU Sednit's approach was to employ emails with lures that revolved around the agenda of the European Parliament This was a calculated choice as the campaign's primary targets were political entities within the European Union and Ukraine A concerning trend of exploiting CVE-2023-38831 vulnerability by Russian intelligence services hacking groups demonstrates its growing popularity and sophistication It becomes increasingly essential for organizations and security professionals to remain vigilant and proactive in defending against these threats It is of utmost important for WinRAR users to update their software to version 6 23 or later which includes the necessary security patches to mitigate this critical vulnerability Furthermore practicing caution when opening files received from unknown sources or untrusted locations is an additional layer of defense against potential exploitation of this vulnerability Cybersecurity awareness and prompt software updates are crucial in maintaining a resilient defense against such threats Conclusion In this comprehensive report we've delved into the intricate campaign orchestrated by APT29 a threat group associated with Russia's intelligence apparatus Their targeted attack against embassies particularly in Azerbaijan Greece Romania and Italy offers a sobering view of the evolving threat landscape One of the most apparent geopolitical motives behind these attacks is the quest for intelligence especially concerning Azerbaijan's impending actions in Nagorno-Karabakh It's a stark reminder that cyber-espionage is a tool of statecraft and its reach extends to diverse regions and sectors What makes this campaign particularly noteworthy is the synthesis of old and new techniques APT29 continues to employ the BMW car for sale lure theme a tactic that's been seen in the past However the deployment of the CVE-2023-38831 WinRAR vulnerability a novel approach reveals their adaptability to the evolving threat landscape Additionally their use of Ngrok services to establish covert communications emphasizes their determination to remain concealed Furthermore the prevalence of similar techniques among Russian hacking groups underscores the imperative for organizations to take robust security measures seriously Implementing stringent cybersecurity practices staying updated on the latest vulnerabilities and fostering a culture of cybersecurity awareness are vital to guarding against these complex and persistent threats Indicators of Compromise Type Value filename NEAS f78ee3005ca9f0e78a9dd136fc69afe7c06d69d1fc6218bc9e7eb3adec045977zip zip md5 3b641b7e68b671da6497d10f773dcf7c sha-1 37c619b18ba52956c249551587b955e7b2066b73 sha-256 f78ee3005ca9f0e78a9dd136fc69afe7c06d69d1fc6218bc9e7eb3adec045977 filename payload_1 ps1 md5 2b9812a7793c3fe0f171456acd9edf02 sha-1 448047b975175cb9c1e8b36036324835a9e9943e sha-256 5d6bfb8fd1102273ef489060219293f8da796d07e8b2872efbda55050512b71f filename Car for sale eml md5 ff7d1fb202bac38345be8cf267fa6688 sha-1 3da35178fb0b3a8ef51b78a07c719658a628d722 sha-256 eec902a61886198a8e48ac862fabeecd628f2fa4122b78a0d7d6ee5c256ae724 url http d287-206-123-149-139 ngrok-free app b125 ps1 domain d287-206-123-149-139 ngrok-free app email address a menmedov@outlook com