APT29, a nation-state cyberespionage group linked to Russia’s Foreign Intelligence Service (SVR), has been observed abusing a zero-day vulnerability in WinRAR file archiver utility to infiltrate embassies across Europe, including Azerbaijan, Greece, Romania, and Italy. Besides diplomatic missions, the group has also targeted major international organizations and internet service providers.

“The geopolitical implications are profound. Among the several conceivable motives, one of the most apparent aims of the SVR might be to gather intelligence concerning Azerbaijan's strategic activities, especially in the lead-up to the Azerbaijani invasion of Nagorno-Karabakh,” Ukraine’s National Cyber Security Coordination Center (NCSCC) noted in a report.

“It's noteworthy that the countries targeted—Azerbaijan, Greece, Romania, and Italy—maintain significant political and economic ties with Azerbaijan. In a noteworthy development, Azerbaijan had recently struck an agreement to procure military aircraft from Italy, marking a rare arms deal with a Western nation.”

APT29’s phishing attacks involved lures in the form of enticing BMW car sale photos and documents, designed to draw in unsuspecting victims. The lure documents contained malicious content that exploited the WinRAR RCE flaw (CVE-2023-38831), granting attackers access to the compromised systems.

Once the archive is opened, a script is executed, generating a PDF file claiming to contain information about a BMW car for sale. In the meantime, a PowerShell script is downloaded in the background and executed from the next-stage payload server. In this attack the threat actor leveraged a novel technique for communicating with the malicious server, employing a Ngrok free static domain to access their server hosted on their Ngrok instance.

“What makes this campaign particularly noteworthy is the synthesis of old and new techniques,” the agency noted. “APT29 continues to employ the BMW car for sale lure theme, a tactic that's been seen in the past. However, the deployment of the CVE-2023-38831 WinRAR vulnerability, a novel approach, reveals their adaptability to the evolving threat landscape. Additionally, their use of Ngrok services to establish covert communications emphasizes their determination to remain concealed.”