Russian researchers uncover Ukraine-linked cyberespionage group exploiting WinRAR vulnerability

Russian security researchers from F.A.C.C.T., a cybersecurity firm based in Moscow, reported about a cyber espionage group, which they named PhantomCore with affiliations traced back to Ukraine, actively operating since January of the current year.

The remote access malware employed by these infiltrators has only recently come to light. The threat actors, in their recent operations on undisclosed Russian entities, exploited a known vulnerability within WinRAR, a popular Windows file compression tool. This vulnerability CVE-2023-38831, had allegedly been exploited before by state-affiliated hackers from Russia and China in early 2023 before being addressed.

PhantomCore’s modus operandi in exploiting this vulnerability marks a departure from previous tactics, as noted by F.A.C.C.T. Instead of leveraging ZIP files, which had been observed in prior attacks, the group executed malicious code through specially crafted RAR archives.

The dissemination of PhantomRAT was facilitated through phishing emails housing a PDF file masquerading as a contractual document. These emails contained an attached RAR archive, safeguarded by a password shared within the email. PDF files have been a recurrent tool in cyberespionage goals.

In the execution phase of the operation, vulnerable systems were compromised with PhantomRAT. This malware, as outlined by researchers, possesses capabilities to download and upload files between compromised hosts and the hackers’ command and control (C2) server. Information collected during these injects encompassed crucial data such as host names, user identities, local IP addresses, and operating system versions, serving as potential avenues for further exploits.

Throughout their analysis, researchers also stumbled upon three trial specimens of PhantomRAT, allegedly uploaded from Ukraine, leading them to speculate with moderate certainty about the attackers’ possible location.

Independent scrutiny casts a veil of doubt over the attribution of PhantomCore’s activities to Ukraine. With most Western cybersecurity entities withdrawing from Russia amidst the conflict with Ukraine, their visibility into Russian networks remains limited. Several firms were consulted to evaluate F.A.C.C.T.’s findings.

Check Point researchers confirmed the operational status of the malware described in the report, highlighting the vulnerability of systems running WinRAR versions preceding 6.23. However, they noted the current payload’s compatibility solely with 64-bit systems, which could vary in subsequent attacks depending on the attackers’ objectives.

Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, contested certain claims made by F.A.C.C.T., citing the absence of prior observations of the activities attributed to PhantomCore. Nonetheless, Microsoft, alongside other industry players, is well-acquainted with the widespread exploitation of CVE-2023-38831 by cyber criminals and state-sponsored actors alike.

Moreover, DeGrippo disputed F.A.C.C.T.’s assertion regarding the exclusive use of RAR archives by PhantomCore, citing precedents of similar tactics employed by other threat actors, such as Forest Blizzard and DarkPink, leveraging RAR archives in their exploits.