Russia’s APT29 Targets Embassies With Ngrok and WinRAR Exploit

Written by

Ukrainian security researchers have revealed a major new Russian cyber-espionage campaign which they claim may have been designed to harvest information on Azerbaijan’s military strategy.

APT29 (aka Cozy Bear, Nobelium and many other monikers) was behind the attacks, according to a new report from the Ukrainian National Security and Defense Council (NDSC).

It targeted embassies in Azerbaijan, Greece, Romania and Italy, as well as international institutions such as the World Bank, European Commission, Council of Europe, WHO, UN and others.

“The geopolitical implications are profound. Among the several conceivable motives, one of the most apparent aims of the SVR might be to gather intelligence concerning Azerbaijan’s strategic activities, especially in the lead-up to the Azerbaijani invasion of Nagorno-Karabakh,” said the NDSC.

“It’s noteworthy that the countries targeted – Azerbaijan, Greece, Romania, and Italy – maintain significant political and economic ties with Azerbaijan.”

Read more on APT29: Diplomats in Ukraine Targeted by “Staggering” BMW Phishing Campaign

The campaign itself began as a spear-phishing email, using the lure of a diplomatic car for sale. The RAR attachment featured CVE-2023-3883, a bug which enables threat actors to insert malicious folders with the same name as benign files in a .zip archive.

“In the course of the user’s effort to open the harmless file, the system unwittingly processes the concealed malicious content within the folder with a matching name, thus enabling the execution of arbitrary code,” the NDSC explained.

In this attack, when a user clicks on the RAR archive contained in the phishing email it will execute a script to display a PDF of the car ‘for sale,’ whilst simultaneously downloading and executing a PowerShell script. The threat actors apparently use a Ngrok free static domain to access their malicious payload server hosted on a Ngrok instance.

“By exploiting Ngrok’s capabilities in this manner, threat actors can further complicate cybersecurity efforts and remain under the radar, making defense and attribution more challenging,” noted the report.

This isn’t the first time hackers have exploited CVE-2023-3883. It was observed being exploited by the Russian Sednit APT group (APT28) in August, shortly after Group-IB first notified about what was then a zero-day vulnerability.

What’s hot on Infosecurity Magazine?