WINRAR RCE VULNERABILITY SPOTLIGHT: APT29’S ZERO-DAY TACTICS

Introduction 介绍

During the beginning of September 2023, APT29, a group linked with Russia’s Foreign Intelligence Service (SVR) conducted a cyberattack targeting the embassies of several countries such as Azerbaijan, Romania, Italy and Greece. In order to gain initial access, the group exploited a Remote Code Execution vulnerability in WinRAR, recorded as CVE-2023-38831. This article will discuss the technical details behind the initial access aspects of this attack whilst also taking into account the socio-political context. Moreover, this article will provide detailed steps for manually exploiting CVE-2023-38831.
2023 年 9 月初，与俄罗斯外国情报局 （SVR） 有联系的组织 APT29 对阿塞拜疆、罗马尼亚、意大利和希腊等多个国家的大使馆进行了网络攻击。为了获得初始访问权限，该组织利用了 WinRAR 中的远程代码执行漏洞，记录为 CVE-2023-38831。本文将讨论此攻击的初始访问方面背后的技术细节，同时还考虑了社会政治背景。此外，本文将提供手动利用 CVE-2023-38831 的详细步骤。

The Attack 攻击

APT29 used a phishing campaign to distribute the RAR file which provided initial access. The phishing campaign was built around an internal sale of a BMW vehicle. Over 200 emails were sent as part of the campaign. The archive contained a PDF file with technical details about the vehicle, alongside a folder with the same name as the PDF. Upon opening the PDF, a PowerShell script was automatically downloaded from the payload server and executed in the background using IEX.
APT29 使用网络钓鱼活动来分发提供初始访问权限的 RAR 文件。网络钓鱼活动是围绕宝马汽车的内部销售而建立的。作为活动的一部分，我们发送了 200 多封电子邮件。该档案包含一个PDF文件，其中包含有关车辆的技术详细信息，以及一个与PDF同名的文件夹。打开 PDF 后，PowerShell 脚本会自动从有效负载服务器下载，并使用 IEX 在后台执行。

Socio-Political Implications
社会政治影响

The motive of this attack is likely cyberespionage. APT29 most likely aimed to gather intelligence concerning Azerbaijan’s strategic activities related to the Azerbaijani offensive in Nagorno-Karabakh. The other targeted countries, including Romania, Greece and Italy, hold strong diplomatic ties with Azerbaijan. RARLabs released an updated version of WinRAR in August 2023, fixing CVE-2023-38831. However, there are indications that threat actors were exploiting this issue in early 2023, before it was known publicly. Moreover, APT29 is not the only group seen to exploit this issue. During the same timeframe, APT28, another group associated with the Russian government, impersonated Ukrainian drone training school to deliver Rhadamanthys infostealer via CVE-2023-38831.
这次攻击的动机可能是网络间谍活动。APT29很可能旨在收集有关阿塞拜疆与阿塞拜疆在纳戈尔诺-卡拉巴赫的进攻有关的战略活动的情报。其他目标国家，包括罗马尼亚，希腊和意大利，与阿塞拜疆保持着牢固的外交关系。RARLabs 于 2023 年 8 月发布了 WinRAR 的更新版本，修复了 CVE-2023-38831。然而，有迹象表明，威胁行为者在 2023 年初就利用了这个问题，当时还没有公开。此外，APT29 并不是唯一利用此问题的组织。在同一时间段内，另一个与俄罗斯政府有关联的组织 APT28 冒充乌克兰无人机培训学校，通过 CVE-2023-38831 提供 Rhadamanthys 信息窃取程序。

APTs have a high demand for zero-day vulnerabilities. Exploiting high-risk vulnerabilities before they are public has a high strategic impact for government-backed APTs. In this particular case, the attack was not used for financial gain, but rather for cyberespionage. Currently, the global landscape of cybersecurity bears a theme of threat actors taking advantage of crises such as armed conflicts or natural disasters. Moreover, some of the armed conflicts are likely to move overwhelmingly to cyberspace. The low cost and high impact of cyberattacks is one of the main reasons for transitioning conflicts into cyberspace. Another reason may be the persistent attribution challenges in cybersecurity. Tracing the source of the attack is challenging in cyber, potentially facilitating False Flag Operations (more on this in another article).
APT 对零日漏洞的需求很高。在高风险漏洞公开之前利用这些漏洞对政府支持的 APT 具有很高的战略影响。在这种特殊情况下，攻击不是为了经济利益，而是用于网络间谍活动。目前，全球网络安全格局的主题是威胁行为者利用武装冲突或自然灾害等危机。此外，一些武装冲突可能会压倒性地转移到网络空间。网络攻击的低成本和高影响是将冲突转移到网络空间的主要原因之一。另一个原因可能是网络安全中持续存在的归因挑战。在网络领域，追踪攻击源具有挑战性，可能会促进假旗行动（在另一篇文章中对此有更多介绍）。

Exploiting CVE-2023-38831
利用 CVE-2023-38831

This section will present the steps used for exploiting the RCE in WinRAR.
本部分将介绍用于在 WinRAR 中利用 RCE 的步骤。

Make sure you are using WinRAR <=6.22
确保您使用的是 WinRAR <=6.22

CVE-2023-38831 only applies to WinRAR versions bellow 6.23.
CVE-2023-38831 仅适用于 WinRAR 6.23 以下版本。

Set up the prerequisites
设置先决条件

In order to exploit this issue we will use a random PDF file which we will call bmw_m4.pdf. We will place the PDF into the Document folder. We now created a folder with the same name as the PDF (bmw_m4.pdf). Inside the folder, we placed a CMD file called bmw_m4.pdf .cmd (note that there is a space before the “.cmd”). The CMD file that we used contains only one-line, that is “calc.exe”, however, any batch payload can be used.
为了利用这个问题，我们将使用一个随机的PDF文件，我们称之为bmw_m4.pdf。我们会将 PDF 放入“文档”文件夹中。现在，我们创建了一个与 PDF （bmw_m4.pdf） 同名的文件夹。在文件夹中，我们放置了一个名为 bmw_m4.pdf .cmd 的 CMD 文件（请注意，“.cmd”之前有一个空格）。我们使用的 CMD 文件仅包含一行，即“calc.exe”，但是，可以使用任何批处理有效负载。

Create the archive 创建存档

The following screenshots highlight the steps for creating the archive.
以下屏幕截图突出显示了创建存档的步骤。

Step 1. Create a folder with a name ending in “.pdf” and add it to a WinRAR archive
步骤 1。创建一个名称以“.pdf”结尾的文件夹，并将其添加到 WinRAR 存档中

Step 2. Append a legitimate PDF file to the archive, making sure to give it the same name as the folder
第2步。将合法的 PDF 文件附加到存档中，确保为其指定与文件夹相同的名称

Step 3. Rename the folder and add a trailing space at the end of its name
第 3 步。重命名文件夹并在其名称末尾添加尾随空格

When we attempt to open the PDF, our CMD payload is executed instead:
当我们尝试打开 PDF 时，将执行我们的 CMD 有效负载：

Vulnerability Assessment
漏洞评估

When a user double clicks “bmw_m4.pdf” from WinRAR’s UI, WinRAR will instead execute “bmw_m4.pdf /bmw_m4.pdf .cmd“. This occurs because WinRAR identifies files requiring temporary expansion by iterating through all archive entries. If a directory shares the name of the chosen entry, both the selected file and the directory’s files are extracted to a random temporary directory’s root. WinRAR then invokes ShellExecuteExW, providing the temporary directory’s path. The trailing space in the path causes ShellExecuteExW to invoke ApplyDefaultExts, executing the first file with a PIF, COM, EXE, BAT, LNK, or CMD extension. This behaviour can be seen in the following screenshot from ProcMon:
当用户从 WinRAR 的 UI 双击“bmw_m4.pdf”时，WinRAR 将改为执行“bmw_m4.pdf /bmw_m4.pdf .cmd”。发生这种情况的原因是 WinRAR 通过循环访问所有存档条目来识别需要临时扩展的文件。如果目录共享所选条目的名称，则所选文件和目录的文件都将提取到随机临时目录的根目录中。然后，WinRAR 调用 ShellExecuteExW，提供临时目录的路径。路径中的尾随空格会导致 ShellExecuteExW 调用 ApplyDefaultExts，并执行具有 PIF、COM、EXE、BAT、LNK 或 CMD 扩展名的第一个文件。此行为可以在 ProcMon 的以下屏幕截图中看到：

So, if we want a PDF to actually open when double-clicking the PDF (while the malicious payload runs in the background), we may place the PDF as hex into temp.txt and modify our CMD payload as follows:
因此，如果我们希望在双击 PDF 时实际打开 PDF（当恶意负载在后台运行时），我们可以将 PDF 作为十六进制放入temp.txt并修改我们的 CMD 有效负载，如下所示：

certutil -f -decodegex temp.txt bmw_m4.pdf >null
del temp.txt
bmw_m4.pdf
calc.exe
del bmw_m4.pdf

Conclusion 结论

This attack chained together human vulnerabilities (social engineering) and technical vulnerabilities (WinRAR RCE). Institutions such as embassies, universities, power plants and many others are prime targets for cyber espionage, especially during times of geopolitical tensions. Thus, it is imperative for members of staff to be aware of potential security issues and undertake security training. Moreover, it is equally important for IT teams to ensure that all software is up-to-date and that vulnerability scans and penetration tests are conducted regularly. However, one should keep in mind that state-sponsored actors can still have zero-days up their sleeves.
这种攻击将人类漏洞（社会工程）和技术漏洞（WinRAR RCE）链接在一起。大使馆、大学、发电厂等机构是网络间谍活动的主要目标，尤其是在地缘政治紧张时期。因此，工作人员必须了解潜在的安全问题并接受安全培训。此外，对于IT团队来说，确保所有软件都是最新的，并定期进行漏洞扫描和渗透测试也同样重要。但是，应该记住，国家资助的演员仍然可以袖手旁观。

原文始发于Matei Josephs：WINRAR RCE VULNERABILITY SPOTLIGHT: APT29’S ZERO-DAY TACTICS