The notorious Russian threat actor, Cozy Bear, also recognized as APT29, has recently set its sights on European embassies. This time, they are employing a vulnerability known as CVE-2023-38831, which exploits a new WINRAR vulnerability. Amid the current geopolitical tensions involving Russia, Cozy Bear has deployed an email spear-phishing campaign disguised as a “diplomatic BMW car for sale” email. As a Russian-supported intelligence hacking group, this latest campaign exhibits clear motives, strategically targeting specific individuals. These targets include but are not limited to diplomatic accounts in the Greece and Romanian embassies, as well as targeting the Azerbaijan and Italian Ministry of Foreign Affairs.
Cozy Bear has a notorious history of targeting high-profile entities, with its origins tracing back to 2008.
To provide context for this group, they have previously carried out attacks on the US White House and orchestrated one of the most significant cyberattacks in history. Acting as a proxy for Russia’s Foreign Intelligence Service (SVR), Cozy Bear was the leading role in the SolarWinds cyberattack, one of the most effective cyber assaults to date.
The group’s penchant for spear-phishing operations is noteworthy. Their attacks are distinguished by highly customized and intricate phishing campaigns aimed at specific individuals. Leveraging a robust network and ample resources, Cozy Bear crafts convincing phishing campaigns capable of deceiving even those well-versed in identifying such threats. The main goal of the group is to gather intelligence while remaining undetected for prolonged periods. They prefer to use highly sophisticated phishing tactics to target influential individuals, all to provide valuable intel to Russia’s Foreign Intelligence Service (SVR).
Cozy Bear’s historical activity reveals a pattern of heightened engagement during periods of geopolitical tension, and the current incident is no exception. In this latest attack, Cozy Bear strategically pinpointed entities capable of providing valuable information on Azerbaijan’s recent activities. The longstanding conflict between Azerbaijan and Armenia over Nagorno-Karabakh, a region with an Armenian majority, has resulted in recent geopolitical shifts. Azerbaijan’s control over Nagorno-Karabakh has led to the displacement of many Armenians, and despite international efforts, the situation remains tense, indicating a potential for renewed conflict and regional instability.
In this specific attack, APT29 targeted 200 email addresses, employing a phishing email disguised as a BMW car sale announcement. The email included an attachment titled “DIPLOMATIC-CAR-FOR-SALE-BMW.rar”. Files within the rar archive exploited the CVE-2023-38831 vulnerability in WinRAR versions prior to 6.23. This vulnerability involves a logical flaw causing temporary file expansion during the processing of crafted archives. The vulnerability allows malicious executables to be hidden within seemingly innocuous files like PDFs or JPGs within ZIP archives. When the user interacts with such a file in WinRAR’s interface, the program inadvertently executes a malicious payload instead of the intended file.
A National Security and Defense Council of Ukraine report says, “In the context of this particular attack, a script is executed, generating a PDF file featuring the lure theme of a BMW car for sale. Simultaneously, in the background, a PowerShell script is downloaded and executed from the next-stage payload server. Notably, the attackers introduced a novel technique for communicating with the malicious server, employing a Ngrok free static domain to access their server hosted on their Ngrok instance”.
Designed initially to securely expose local network ports to the internet, Ngrok has now become a tool exploited by cyber adversaries for malicious purposes. In this attack, Ngrok is utilized to store next-stage PowerShell payloads and establish hidden communication channels. Cybercriminals take advantage of Ngrok’s free static domains, often using subdomains as discreet meeting points for their malicious activities. This adaptation enables them to obfuscate their actions and communicate with compromised systems, making it challenging for cybersecurity measures to detect and attribute their actions, thereby complicating defense efforts.
Identified as a critical security flaw, CVE-2023-38831 poses a significant risk, particularly in earlier versions of RARLab’s WinRAR software released before version 6.23. This vulnerability is actively being exploited in real-world incidents, and it’s not the first instance Cozy Bear has taken advantage of this specific vulnerability. The trend of Russian intelligence groups exploiting this vulnerability has become a cause for concern.