Security researchers have observed pro-Russia hackers exploiting a recently patched vulnerability, designated CVE-2023-38831, affecting versions of the WinRAR file archiving utility prior to 6.23. The vulnerability was exploited by a phishing campaign intended to obtain credentials and other sensitive data from victims.
The phishing emails contained malicious WinRAR (.zip) attachments that, when opened by the recipient, establish a reverse shell connection providing the threat actor with remote access. A PowerShell script then steals data and credentials from Google Chrome and Microsoft Edge, which is exfiltrated back to the threat actor using the legitimate service webhook.site.
Source: The Hacker News
Analysis
WinRAR’s large user base and familiarity makes it a popular choice for exploitation and misuse. In May 2023, it was reported that Russian hackers leveraged their access to sensitive Ukrainian government systems to archive and delete files using a function native to WinRAR. It’s likely the hackers chose WinRAR for this purpose since it is unlikely to be detected by host-based anti-virus programs, compared to the custom-built wipers that have become associated with Russian hackers since the beginning of Russia’s invasion of Ukraine.
Of interest is the threat actor’s use of the legitimate web service webhook.site to exfiltrate the stolen information. The webhook.site service was recently used by threat actors to exfiltrate data from compromised SQL servers residing in Azure cloud environments. Given that webhook.site is a legitimate service, it’s less likely to be detected by firewalls and other network security controls, and thus has become popular with threat actors to facilitate data exfiltration.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like WinRAR. This research contributes to the timely deployment of signatures into Covalence, our flagship security solution, to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of WinRAR to update to the latest version soon as possible. Additionally, firewall logs should be reviewed for connections to webhook.site URLs to ensure they are not threat related.
Related articles
