Critical WinRAR 0-Day Vulnerability Exploited for Weeks by Two Groups

In recent reports, cybersecurity firm BI.ZONE disclosed that the threat actor known as Paper Werewolf has launched a series of attacks leveraging exploits delivered via email attachments. These emails masqueraded as communications from employees at the All-Russian Research Institute, with the malicious aim of installing malware to gain unauthorized access to compromised systems.

Both BI.ZONE and ESET independently identified this campaign, although there’s still uncertainty regarding any potential connections between the groups exploiting the vulnerabilities. Speculation from BI.ZONE suggests that Paper Werewolf may have obtained the vulnerabilities listed in dark web crime forums, indicating a possible sourcing of exploits from common market venues.

ESET detailed that the observed attacks adhered to three distinct execution chains, one notably targeting a specific organization with a method known as COM hijacking. This technique enabled the execution of a malicious DLL file concealed within an archive, leading to the installation of malware through applications like Microsoft Edge. In this context, the DLL decrypted embedded shellcode to retrieve the current machine’s domain and compare it against a hardcoded value; a match triggered the installation of the Mythic Agent exploitation framework.

Another execution chain employed a malicious Windows executable to deliver SnipBot, a recognized variant of RomCom malware. This malware exhibited behavior designed to thwart forensic analysis, such as terminating itself when operated within a virtual machine or sandbox environment—common setups used by cybersecurity researchers. A third execution chain utilized two other known RomCom malware samples, identified as RustyClaw and Melting Claw, further indicating a sophisticated approach to infecting targeted systems.

Historically, vulnerabilities in WinRAR have been exploited to deliver malware, including a wide-scale exploitation of a critical code-execution flaw in 2019, as well as a zero-day vulnerability detected in 2023 that was exploited for an extended period before being uncovered. The structure of WinRAR, which necessitates manual user intervention for updates, poses enhanced risks. This is compounded by the existence of unpatched vulnerabilities in Windows versions of UnRAR.dll and portable UnRAR source code, putting users at further risk. Business owners are advised to utilize only the most recent WinRAR version, specifically 7.13 or later, as it addresses known vulnerabilities.

This situation exemplifies the ongoing need for vigilance against cyber threats in a landscape where exploitation techniques continue to evolve. Utilizing the MITRE ATT&CK framework can aid in understanding the tactics involved in these attacks, including initial access, persistence, and privilege escalation—each highlighting the complexities and risks faced by organizations today. As cyber defenses become paramount, keeping software updated and employing robust cybersecurity practices remain essential for safeguarding sensitive data and systems.

Source

Related Posts

Lazarus Hacker Group Adapts Tactics, Tools, and Targets in DeathNote Campaign

The North Korean cyber threat group known as Lazarus has been observed changing its strategies and rapidly enhancing its tools within its ongoing DeathNote campaign. While historically focused on the cryptocurrency sector, recent attacks have also expanded to include the automotive, academic, and defense sectors in Eastern Europe and beyond. This shift is seen as a major change in approach. Kaspersky researcher Seongsu Park noted that the group has switched its decoy documents to job descriptions for defense contractors and diplomatic services, marking a strategic pivot that began in April 2020. This campaign is also identified by other names such as Operation Dream Job or NukeSped, with Google-owned Mandiant linking certain activities to this evolving threat.

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

Critical Vulnerabilities in Android and Novi Survey Under Ongoing Exploitation

April 14, 2023
Mobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence. The vulnerabilities include:

  • CVE-2023-20963 (CVSS score: 7.8) – Android Framework Privilege Escalation Vulnerability
  • CVE-2023-29492 (CVSS score: TBD) – Novi Survey Insecure Deserialization Vulnerability

CISA’s advisory for CVE-2023-20963 notes that the Android Framework contains an unspecified vulnerability that enables privilege escalation when an app is updated to a higher Target SDK without requiring additional execution privileges. Google acknowledged in its March 2023 Android Security Bulletin that there are signs of limited, targeted exploitation of CVE-2023-20963. This revelation follows a report from Ars Technica that Android apps digitally signed by a Chinese e-commerce entity may be affected.

Google Reports APT41’s Exploitation of Open Source GC2 Tool to Target Media and Job Websites

April 17, 2023
Cyber Threat / Cloud Security

A Chinese nation-state group has reportedly targeted an unnamed Taiwanese media outlet using an open-source red teaming tool called Google Command and Control (GC2). This activity is part of a larger trend of utilizing Google’s infrastructure for malicious purposes. Google’s Threat Analysis Group (TAG) attributes the operation to a threat actor known as HOODOO, also identified as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email that includes links to a password-protected file on Google Drive. This file contains the Go-based GC2 tool, which retrieves commands from Google Sheets and exfiltrates data via the cloud storage service. “Once installed on the victim’s machine, the malware queries Google Sheets for attacker commands,” stated Google’s cloud division in its latest Threat Horizons Report.