APT29 Lures Victims with Fake BMW Ads in Latest Attack

APT29

The hacking collective APT29, also known as Cozy Bear and Midnight Blizzard, recently orchestrated a malicious campaign employing counterfeit BMW advertisements, the Ngrok tool, and exploiting a vulnerability in the WinRAR archiver, known as CVE-2023-38831.

APT29 is dedicated to gathering intelligence from high-ranking individuals to acquire information about foreign governments. Similar nefarious operations exploiting fake BMW ads had been previously recorded by researchers from Unit 42 and Mandiant. However, this time, the group’s attack methods markedly differed.

The recently identified vulnerability in WinRAR, CVE-2023-38831, enables malefactors to execute arbitrary code when a user attempts to view a benign file in a ZIP archive. The exploitation occurs when a harmless file and a folder within the archive share the same name. Executing the file from the archive also processes the folder’s contents (which may contain executable content), leading to the infection of the target device.

APT29

APT29 also utilizes Ngrok to facilitate communication between the infected device and a C2 server. Ngrok is a legitimate tool that allows users to safely expose local network ports to the internet. However, despite its intended purpose, Ngrok’s capabilities can be used to circumvent network defenses. Specifically, APT29 used Ngrok’s free static domains to establish persistent and inconspicuous communication with its C2 server.

A pivotal role in the attack was played by the counterfeit BMW advertisements, distributed to hundreds of embassy employees. The phishing emails contained an archival file “DIPLOMATIC-CAR-FOR-SALE-BMW.rar,” which included a PDF file and a folder with the same name.

When users opened the PDF file in the archive, supposedly offering an “exclusive deal” on BMW cars, a shell code from the folder with malicious content was executed in the background, downloading and running the payload. Ngrok services were also utilized by the hackers to send the collected information to their storage.

The combination of the WinRAR vulnerability and Ngrok services represents a unique method of using two different techniques for a comprehensive attack. According to sources, the countries affected by APT29’s ruses include Azerbaijan, Greece, Romania, and Italy.

This attack once again demonstrates the ingenuity and perseverance of APT hacker groups. Utilizing a combination of a fresh vulnerability in a popular archiver and a legitimate traffic tunneling service, the perpetrators executed a meticulously planned operation to steal confidential data from embassies of several European countries.

To defend against such attacks, it is critically important to promptly install all security updates for software in use and to regularly train staff in recognizing phishing emails and malicious attachments. Additionally, strict control over the use of third-party tools and services in corporate infrastructure is necessary. Only a comprehensive approach to cybersecurity can ensure robust protection against the sophisticated attacks of modern hackers.