Using the WinRAR exploit to attack Ukrainian companies using LONEPAGE malware

25 December 2023 2 minutes Author: Newsman

The attacker, known as UAC-0099, is linked to an attack on Ukraine, part of which exploits a serious vulnerability in the WinRAR software to deliver a type of malware called LONPAGE

“The attackers are targeting Ukrainian employees who work in companies outside of Ukraine,” says the report of the cyber security company Deep Instinct. UAC-0099 was first documented by the Ukrainian Computer Emergency Response Team (CERT-UA) in June 2023, detailing espionage-motivated attacks on government organizations and media. The attack chain uses phishing emails containing HTA, RAR, and LNK file attachments that can communicate with control (C2) servers to obtain additional useful data such as keyloggers, ransomware, and screenshot malware LONEPAGE, a malicious Visual Basic Script (VBS) software was deployed. CERT-UA said at the time that “between 2022 and 2023, the group gained unauthorized remote access to dozens of computers in Ukraine.”

According to Deep Instinct’s latest analysis, the use of HTA attachments is only one of three different infection chains, the other two using self-extracting archives (SFX) and trapped ZIP files ZIP files are vulnerable to the WinRAR vulnerability (CVE-2023- 38831 , CVSS score: 7.8), which is used to distribute LONEPAGE. In the first case, the SFX file contains an LNK shortcut disguised as a DOCX file using a Microsoft WordPad icon, which forces the victim to open it and execute malicious PowerShell code to remove the LONEPAGE malware.

Another series of attacks used a specially crafted ZIP archive that CVE-2023-38831 applies to, and Deep Instinct discovered two such artificial objects created by UAC-0099 on August 5, 2023, three days after WinRAR developers released patch for this bug Two such objects were detected. The way UAC-0099 works is simple but effective. Although the initial infection vector is different, the essence of the infection is the same – creating a scheduled task that executes PowerShell and VBS files.

Other related articles
Read more
How do technologies shape the future of art?
Immerse yourself in a world where art and technology merge into one at the NGV Triennial in Melbourne. In this article, you will learn about a unique exhibition where the works of Boston Dynamics are transformed into artists under the guidance of the artist Agnieszka Pilat.
Found an error?
If you find an error, take a screenshot and send it to the bot.