Russian hackers offered phony drone training to exploit WinRAR vulnerability

Russian military hackers used a vulnerability in a popular archiving tool as part of an espionage campaign that attempted to lure its targets with a fake invitation to a Ukrainian drone warfare school, researchers with Google’s Threat Analysis Group said Wednesday.

The phony invitation was just one example of several state-backed hacking groups exploiting a known vulnerability in WinRAR. The researchers also saw the notorious Chinese hacking group known as APT40 use the vulnerability as part of a phishing campaign targeting Papua New Guinea.

Even though a patch has been available since August, a lack of patching has resulted in “multiple government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operation,” TAG said.

The invitation to participate in a non-existent drone training program was deployed by the Russian military intelligence hacking unit tracked by TAG as “Frozenbarents” but more widely known as “Sandworm,” which is an elite unit among Russia’s hacking corps. The group has been documented carrying out intelligence operations, information operations and attacks on Ukraine’s electric grid.

In repelling Russia’s invasion, Ukrainian defenders have relied extensively on drones, including many custom-built inexpensive varieties operated by a growing corps of volunteers, and the use of an invitation to a phony training program for operating drones appears to target a key Ukrainian military capability.

The phony drone invite campaign represented a novel tactic for Sandworm, the researchers said, because it delivered the Rhadamanthys infostealer, a versatile commodity off-the-shelf malware designed to steal browser credentials, session information and other data from targets. The group’s use of the malware, more common of cybercriminals, is atypical, the researchers said.

A separate Russian military hacking campaign, tracked as “Frozenlake” or APT28, used the same WinRAR vulnerability embedded in a Ukrainian think tank event invitation to target Ukrainians in the energy sector, the researchers said.

An Aug. 23 report from Group-IB detailed how cybercriminals were using the vulnerability since at least April 2023 to target financial traders. At that point the vulnerability had been used extensively to spoof file extensions, allowing attackers to hide malware in file archives containing seemingly mundane files, Group-IB said at the time. The vulnerability was itself the evolution of a vulnerability in the archiving program identified back in 2014, the researchers added.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available,” the Google researchers said Wednesday. “Even the most sophisticated attackers will only do what is necessary to accomplish their goals.”