The combination of phishing and simple legitimate tools opens hackers doors to any organization.
The hacker association APT29, also known as CozyBear and Midnight Blizzard, recently conducted another malicious campaign that used fake BMW ads, the Ngrok tool, and a vulnerability in the WinRAR archiver known as CVE-2023-38831.
APT29 aims to gather intelligence from high-level individuals to obtain information about foreign governments. Similar malicious operations that exploit fake BMW advertising have previously been detected by Unit 42 and Mandiant researchers, but this time the attack methods were significantly different.
The newly discovered WinRAR vulnerability CVE-2023-38831 allows attackers to execute arbitrary code when a user tries to view a harmless file in a ZIP archive. Exploitation occurs when a harmless file and a folder inside the archive have the same name. When running a file from the archive, the contents of the folder (which may contain executable content) are also processed, which leads to infection of the target device.
APT29 also uses Ngrok to communicate between the infected device and the C2 server. Ngrok is a legitimate tool that allows users to securely open LAN ports on the Internet. However, despite its purpose, Ngrok's capabilities can be used to bypass network defenses. In particular, APT29 used Ngrok's free static domains to establish a permanent and unobtrusive connection with its C2 server.
Not the least role in the attack was played by a fake BMW advertisement sent to hundreds of employees of various embassies. Phishing emails contained an archive file "DIPLOMATIC-CAR-FOR-SALE-BMW.rar", which contained a PDF file and a folder with the same name.
When a user opened a PDF file with an "exclusive offer" of BMW cars in the archive, a shell code was run in the background from a folder with malicious content to download and execute the payload. Ngrok services were used by hackers, among other things, to send the collected information to their storage.
The combination of the WinRAR vulnerability and Ngrok services provides a unique way to use two different techniques to conduct a complex attack. According to sources, Azerbaijan, Greece, Romania and Italy were the countries affected by the APT29 fraud.
This attack once again demonstrates the sophistication and persistence of hacker APT groups. Using a combination of a recent vulnerability in a popular archiver and a legitimate traffic tunneling service, attackers were able to conduct a carefully planned operation to steal confidential data from the embassies of a number of European countries.
To protect against such attacks, it is extremely important to install all security updates of the software used in a timely manner, as well as conduct regular training of personnel in methods of recognizing phishing emails and malicious attachments. In addition, strict control over the use of third-party tools and services in the corporate infrastructure is required. Only a comprehensive approach to cybersecurity can provide reliable protection against sophisticated attacks by modern hackers.
The hacker association APT29, also known as CozyBear and Midnight Blizzard, recently conducted another malicious campaign that used fake BMW ads, the Ngrok tool, and a vulnerability in the WinRAR archiver known as CVE-2023-38831.
APT29 aims to gather intelligence from high-level individuals to obtain information about foreign governments. Similar malicious operations that exploit fake BMW advertising have previously been detected by Unit 42 and Mandiant researchers, but this time the attack methods were significantly different.
The newly discovered WinRAR vulnerability CVE-2023-38831 allows attackers to execute arbitrary code when a user tries to view a harmless file in a ZIP archive. Exploitation occurs when a harmless file and a folder inside the archive have the same name. When running a file from the archive, the contents of the folder (which may contain executable content) are also processed, which leads to infection of the target device.
APT29 also uses Ngrok to communicate between the infected device and the C2 server. Ngrok is a legitimate tool that allows users to securely open LAN ports on the Internet. However, despite its purpose, Ngrok's capabilities can be used to bypass network defenses. In particular, APT29 used Ngrok's free static domains to establish a permanent and unobtrusive connection with its C2 server.
Not the least role in the attack was played by a fake BMW advertisement sent to hundreds of employees of various embassies. Phishing emails contained an archive file "DIPLOMATIC-CAR-FOR-SALE-BMW.rar", which contained a PDF file and a folder with the same name.
When a user opened a PDF file with an "exclusive offer" of BMW cars in the archive, a shell code was run in the background from a folder with malicious content to download and execute the payload. Ngrok services were used by hackers, among other things, to send the collected information to their storage.
The combination of the WinRAR vulnerability and Ngrok services provides a unique way to use two different techniques to conduct a complex attack. According to sources, Azerbaijan, Greece, Romania and Italy were the countries affected by the APT29 fraud.
This attack once again demonstrates the sophistication and persistence of hacker APT groups. Using a combination of a recent vulnerability in a popular archiver and a legitimate traffic tunneling service, attackers were able to conduct a carefully planned operation to steal confidential data from the embassies of a number of European countries.
To protect against such attacks, it is extremely important to install all security updates of the software used in a timely manner, as well as conduct regular training of personnel in methods of recognizing phishing emails and malicious attachments. In addition, strict control over the use of third-party tools and services in the corporate infrastructure is required. Only a comprehensive approach to cybersecurity can provide reliable protection against sophisticated attacks by modern hackers.
