Presentation Material
Abstract
In the aftermath of the disclosure of vulnerabilities within WinRAR, a concerning trend has emerged wherein multiple advanced persistent threat (APT) groups and malicious actors have leveraged these weaknesses to launch targeted attacks on critical sectors spanning various nations. This presentation delves into the exploitation of a specific WinRAR vulnerability, CVE-2023-38831, offering insights into the vulnerability and the tactics employed by threat actors who disseminate malicious ZIP archives through phishing campaigns. Focusing on a notable case study involving the SideCopy APT, this talk explores the intricacies of how WinRAR is weaponized to compromise the security of entities in India. The examination includes a detailed dissection of payloads such as AllaKore RAT, DRat, Key RAT, Double Action and Ares RAT, strategically deployed in a sophisticated multi-platform attack campaign featuring diverse decoys and a consistent naming convention. Furthermore, this presentation sheds light on the discovery of the infrastructure utilized by SideCopy APT, revealing insights into the group’s modus operandi. Specific aspects of interest include the systematic reuse of IP addresses across multiple campaigns throughout the year, the utilization of various compromised domains as hosts for payloads, and the identification of shared code with the parent APT group Transparent Tribe (APT36).
AI Generated Summary
This presentation details the exploitation of CVE-2023-38831, a logical vulnerability in WinRAR (versions <6.23, CVSS 7.8), by multiple advanced persistent threat (APT) groups, with a specific case study on the Pakistan-linked SideCopy APT targeting India. The vulnerability allows arbitrary code execution by crafting a ZIP archive containing a folder and a file with identical names, where a whitespace in the file extension causes both a benign decoy and a malicious payload to be extracted to the temp directory and executed.
SideCopy’s campaigns utilize spear-phishing emails with malicious ZIP archives. Initial access often involves a shortcut (LNK) file triggering an HTA file, which dynamically loads DLLs or .NET-based remote access tools (RATs) like AlorRat, D-RAT, ActionRAT, and Kyat directly into memory via mshta.exe. The group demonstrates a dual Windows and Linux targeting capability, deploying Go-based ELF loaders for Linux systems. A key finding is the strong operational correlation between SideCopy and APT36 (Transparent Tribe). Shared infrastructure (C2 servers in Germany, compromised domains), overlapping lure themes (Indian Ministry of Defense, tax filings, university assignments), and similar payloads (CrimsonRAT, Posidon, Discomoji) confirm a subgroup relationship. Both groups increasingly target educational sectors alongside government and defense entities.
The research reveals a trend of APTs weaponizing a single, easily crafted vulnerability across numerous campaigns post-disclosure. They extensively reuse open-source tools and frameworks, frequently repack and obfuscate payloads to evade detection, and adapt lures to current regional events. Practical