During the beginning of September 2023, APT29, a group linked with Russia’s Foreign Intelligence Service (SVR) conducted a cyberattack targeting the embassies of several countries such as Azerbaijan, Romania, Italy and Greece. In order to gain initial access, the group exploited a Remote Code Execution vulnerability in WinRAR, recorded as CVE-2023-38831. This article will discuss the technical details behind the initial access aspects of this attack whilst also taking into account the socio-political context. Moreover, this article will provide detailed steps for manually exploiting CVE-2023-38831.
APT29 used a phishing campaign to distribute the RAR file which provided initial access. The phishing campaign was built around an internal sale of a BMW vehicle. Over 200 emails were sent as part of the campaign. The archive contained a PDF file with technical details about the vehicle, alongside a folder with the same name as the PDF. Upon opening the PDF, a PowerShell script was automatically downloaded from the payload server and executed in the background using IEX.
The motive of this attack is likely cyberespionage. APT29 most likely aimed to gather intelligence concerning Azerbaijan’s strategic activities related to the Azerbaijani offensive in Nagorno-Karabakh. The other targeted countries, including Romania, Greece and Italy, hold strong diplomatic ties with Azerbaijan. RARLabs released an updated version of WinRAR in August 2023, fixing CVE-2023-38831. However, there are indications that threat actors were exploiting this issue in early 2023, before it was known publicly. Moreover, APT29 is not the only group seen to exploit this issue. During the same timeframe, APT28, another group associated with the Russian government, impersonated Ukrainian drone training school to deliver Rhadamanthys infostealer via CVE-2023-38831.
APTs have a high demand for zero-day vulnerabilities. Exploiting high-risk vulnerabilities before they are public has a high strategic impact for government-backed APTs. In this particular case, the attack was not used for financial gain, but rather for cyberespionage. Currently, the global landscape of cybersecurity bears a theme of threat actors taking advantage of crises such as armed conflicts or natural disasters. Moreover, some of the armed conflicts are likely to move overwhelmingly to cyberspace. The low cost and high impact of cyberattacks is one of the main reasons for transitioning conflicts into cyberspace. Another reason may be the persistent attribution challenges in cybersecurity. Tracing the source of the attack is challenging in cyber, potentially facilitating False Flag Operations (more on this in another article).
This section will present the steps used for exploiting the RCE in WinRAR.
CVE-2023-38831 only applies to WinRAR versions bellow 6.23.
In order to exploit this issue we will use a random PDF file which we will call bmw_m4.pdf. We will place the PDF into the Document folder. We now created a folder with the same name as the PDF (bmw_m4.pdf). Inside the folder, we placed a CMD file called bmw_m4.pdf .cmd (note that there is a space before the “.cmd”). The CMD file that we used contains only one-line, that is “calc.exe”, however, any batch payload can be used.
The following screenshots highlight the steps for creating the archive.
Step 1. Create a folder with a name ending in “.pdf” and add it to a WinRAR archive
Step 2. Append a legitimate PDF file to the archive, making sure to give it the same name as the folder
Step 3. Rename the folder and add a trailing space at the end of its name
When we attempt to open the PDF, our CMD payload is executed instead:
When a user double clicks “bmw_m4.pdf” from WinRAR’s UI, WinRAR will instead execute “bmw_m4.pdf /bmw_m4.pdf .cmd“. This occurs because WinRAR identifies files requiring temporary expansion by iterating through all archive entries. If a directory shares the name of the chosen entry, both the selected file and the directory’s files are extracted to a random temporary directory’s root. WinRAR then invokes ShellExecuteExW, providing the temporary directory’s path. The trailing space in the path causes ShellExecuteExW to invoke ApplyDefaultExts, executing the first file with a PIF, COM, EXE, BAT, LNK, or CMD extension. This behaviour can be seen in the following screenshot from ProcMon:
So, if we want a PDF to actually open when double-clicking the PDF (while the malicious payload runs in the background), we may place the PDF as hex into temp.txt and modify our CMD payload as follows:
certutil -f -decodegex temp.txt bmw_m4.pdf >null
del temp.txt
bmw_m4.pdf
calc.exe
del bmw_m4.pdf
This attack chained together human vulnerabilities (social engineering) and technical vulnerabilities (WinRAR RCE). Institutions such as embassies, universities, power plants and many others are prime targets for cyber espionage, especially during times of geopolitical tensions. Thus, it is imperative for members of staff to be aware of potential security issues and undertake security training. Moreover, it is equally important for IT teams to ensure that all software is up-to-date and that vulnerability scans and penetration tests are conducted regularly. However, one should keep in mind that state-sponsored actors can still have zero-days up their sleeves.