A threat actor has been observed exploiting a recently patched zero-day vulnerability in WinRAR in credential harvesting operations. Researchers with Cluster25 have linked the campaign to a Russian nation-state actor most commonly known as APT28 or Fancy Bear.
The phishing attack involves the use of malicious archive files that exploit the CVE-2023-38831 vulnerability affecting the WinRAR compression software versions prior to 6.23. The flaw could be exploited by a remote attacker using a specially crafted archive with executable malicious files designed to spoof a file extension to look like .jpeg or .txt.
The attack starts with a lure file with a PDF document, which, when clicked upon, triggers the execution of a BAT script. This script, in turn, launches PowerShell commands to open a reverse shell that provides the attacker with access to the targeted machine and another PowerShell script used to steal data, including login credentials, from the Google Chrome and Microsoft Edge browsers. To exfiltrate the data, the attackers use the legit web service webhook[.]site.
“The BAT script first launches a background command of WinRAR to extract its content in the %TEMP% directory, then it deletes the script file from it and opens the PDF file to show the lure to the victim. The latter shows a list of IoCs containing domain names and hashes related to different malware, including SmokeLoader, Nanocore RAT, Crimson RAT and AgentTesla,” the researchers explained.
More technical details along with Indicators of Compromise related to the observed campaign can be found here.
