APT29 has been using a malicious ZIP archive that runs a script in the background to show a PDF lure and to download PowerShell code that downloads and executes a payload.
In this report, we unveil a sophisticated cyberattack orchestrated by APT29, an
advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR).
- National Security and Defense Council of #Ukraine
(report PDF file)
https://share.counter.social/s/db7c12
ZIP “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf” that runs the script
The vulnerability has been exploited as a zero-day since April by threat actors targeting cryptocurrency and stock trading forums.
APT29 has used the BMW car ad phishing lure before to target diplomats in Ukraine during a campaign in May that delivered ISO payloads through the HTML smuggling technique.
By using this method, the attackers managed to hide their activity and communicate with compromised systems without being the risk of being detected
A report from Google in October notes that the security issue was exploited by Russian and Chinese state hackers to steal credentials and other sensitive data, as well as to establish persistence on target systems.
https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
The Ukrainian NDSC says that the observed campaign from APT29 stands out because it mixes old and new techniques
The report from the Ukrainian agency provides a set of indicators of compromise (IoCs) consisting of filenames and corresponding hashes for PowerShell scripts and an email file, along with domains and email addresses.
In these attacks, the Ukrainian NDSC says that APT29 combined the old phishing tactic with a novel technique to enable communication with the malicious server.
NDSC says that the Russian hackers used a Ngrok free static domain (a new feature Ngrok announced on August 16) to access the command and control (C2) server hosted on their Ngrok instance.
https://ngrok.com/blog-post/free-static-domains-ngrok-users