Russian Hackers Use Ngrok Feature and WinRAR Exploit to Attack Embassies

Cyber Security Threat Summary:
APT29, a Russian state-sponsored actor has been leveraging WinRAR vulnerability CVE-2023-38831 in cyber attacks. Specifically, the group has been targeting embassy entities with BMW car sale lures. The vulnerability has been exploited by various groups as a zero-day since April, mostly going after cryptocurrency and stock trading forums.

Ukraine’s National Security and Defense Council (NDSC) released details on the recent campaign, highlighting the use of malicious ZIP archives that run a script in the background to show a PDF lure and to download PowerShell code that will execute the payload.

The malicious archive is called “DIPLOMATIC-CAR-FOR-SALE-BMW[.]pdf” and targeted multiple countries on the European continent, including Azerbaijan, Greece, Romania, and Italy.

Security Officer Comments:
This is not the first time APT29 has used the BMW car ad phishing lure, previously targeting diplomats in Ukraine in May to deliver ISO payloads through a HTML smuggling technique. APT29 uses phishing techniques to enable communications with their server. NDSC says that the Russian hackers used a Ngrok free static domain (a new feature Ngrok announced on August 16) to access the command and control (C2) server hosted on their Ngrok instance. “In this nefarious tactic, they utilize Ngrok's services by utilizing free static domains provided by Ngrok, typically in the form of a subdomain under "" These subdomains act as discrete and inconspicuous rendezvous points for their malicious payloads.” This method allows that actors to hide their activities and communicate with compromised systems without being detected.

The Ukrainian NDSC says that the observed campaign from APT29 stands out because it mixes old and new techniques such as the use of the WinRAR vulnerability to deliver payloads and Ngrok services to hide communication with the C2.

Suggested Correction(s):
The report from the Ukrainian agency provides a set of indicators of compromise (IoCs) consisting of filenames and corresponding hashes for PowerShell scripts and an email file, along with domains and email addresses.

LPDF: attacks Embassies using CVE-2023-38831 - report en.pdf