Apr 10, 2024NewsroomHardware Security / Linux

Cybersecurity researchers have disclosed what they say is the “first native Spectre v2 exploit” against the Linux kernel on Intel systems that could be exploited to read sensitive data from the memory.

The exploit, called Native Branch History Injection (BHI), can be used to leak arbitrary kernel memory at 3.5 kB/sec by bypassing existing Spectre v2/BHI mitigations, researchers from Systems and Network Security Group (VUSec) at Vrije Universiteit Amsterdam said in a new study.

The shortcoming is being tracked as CVE-2024-2201.

BHI was first disclosed by VUSec in March 2022, describing it as a technique that can get around Spectre v2 protections in modern processors from Intel, AMD, and Arm.

While the attack leveraged extended Berkeley Packet Filters (eBPFs), Intel’s recommendations to address the problem, among other things, were to disable Linux’s unprivileged eBPFs.

“Privileged managed runtimes that can be configured to allow an unprivileged user to generate and execute code in a privileged domain — such as Linux’s ‘unprivileged eBPF’ — significantly increase the risk of transient execution attacks, even when defenses against intra-mode [Branch Target Injection] are present,” Intel said at the time.

“The kernel can be configured to deny access to unprivileged eBPF by default, while still allowing administrators to enable it at runtime where needed.”

Native BHI neutralizes this countermeasure by showing that BHI is possible without eBPF. It impacts all Intel systems that are susceptible to BHI.

As a result, it makes it feasible for an attacker with access to CPU resources to influence speculative execution paths via malicious software installed on a machine with the goal of extracting sensitive data that are associated with a different process.

“Existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor,” the CERT Coordination Center (CERT/CC) said in an advisory.

“An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget.”

The flaw has been confirmed to affect Illumos, Intel, Red Hat, SUSE Linux, Triton Data Center, and Xen. AMD, in a bulletin, said it’s “aware of any impact” on its products.

The disclosure comes weeks after IBM and VUSec detailed GhostRace (CVE-2024-2193), a variant of Spectre v1 that employs a combination of speculative execution and race conditions to leak data from contemporary CPU architectures.

It also follows new research from ETH Zurich that disclosed a family of attacks dubbed Ahoi Attacks that could be used to compromise hardware-based trusted execution environments (TEEs) and break confidential virtual machines (CVMs) like AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX).

The attacks, codenamed Heckler and WeSee, make use of malicious interrupts to break the integrity of CVMs, potentially allowing threat actors to remotely log in and gain elevated access, as well as perform arbitrary read, write, and code injection to disable firewall rules and open a root shell.

“For Ahoi Attacks, an attacker can use the hypervisor to inject malicious interrupts to the victim’s vCPUs and trick it into executing the interrupt handlers,” the researchers said. “These interrupt handlers can have global effects (e.g., changing the register state in the application) that an attacker can trigger to compromise the victim’s CVM.”

In response to the findings, AMD said the vulnerability is rooted in the Linux kernel implementation of SEV-SNP and that fixes addressing some of the issues have been upstreamed to the main Linux kernel.

Apr 06, 2024NewsroomSkimmer / Threat Intelligence

Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites.

The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of “improper neutralization of special elements” that could pave the way for arbitrary code execution.

It was addressed by the company as part of security updates released on February 13, 2024.

Sansec said it discovered a “cleverly crafted layout template in the database” that’s being used to automatically inject malicious code to execute arbitrary commands.

“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the company said.

“Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested.”

The command in question is sed, which is used to insert a code execution backdoor that’s then responsible for delivering a Stripe payment skimmer to capture and exfiltrate financial information to another compromised Magento store.

The development comes as the Russian government has charged six people for using skimmer malware to steal credit card and payment information from foreign e-commerce stores at least since late 2017.

The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future News reported that the arrests were made a year ago, citing court documents.

“As a result, members of the hacker group illegally took possession of information about almost 160 thousand payment cards of foreign citizens, after which they sold them through shadow internet sites,” the Prosecutor General’s Office of the Russian Federation said.

Mar 11, 2024NewsroomNetwork Security / Vulnerability

Technical specifics and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer, which could be potentially exploited to bypass authentication protections.

Tracked as CVE-2024-1403, the vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system. It impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.

“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins,” the company said in an advisory released late last month.

“Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.”

Progress Software said the vulnerability incorrectly returns authentication success from an OpenEdge local domain if unexpected types of usernames and passwords are not appropriately handled, leading to unauthorized access sans proper authentication.

The flaw has been addressed in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1.

Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has since released a PoC for CVE-2024-1403, stating the issue is rooted in a function called connect() that’s invoked when a remote connection is made.

This function, in turn, calls another function called authorizeUser() that validates that the supplied credentials meet certain criteria, and passes control to another part of the code that directly authenticates the user if the provided username matches “NT AUTHORITY\SYSTEM.”

“Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages,” security researcher Zach Hanley said.

“We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort.”

Mar 06, 2024NewsroomServer Security / Cryptocurrency

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.

“The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts,” Cado security researcher Matt Muir said in a report shared with The Hacker News.

The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir explained.

The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.

“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” the company said.

The development comes as Uptycs revealed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

“By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

“Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected.”

The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.

It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.

“With both mining and AI requiring access to large amounts of GPU processing power, there’s a certain degree of transferability to their base hardware environments,” HiddenLayer noted last year.

Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it said. “Cloud and Linux infrastructure is now subject to a broader variety of attacks.”

Mar 05, 2024NewsroomMalware / Cyber Threat

North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.

According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark.

“The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application,” security researchers Keith Wojcieszek, George Glass, and Dave Truman said.

“They then leveraged their now ‘hands on keyboard’ access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.”

The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709, which came to light last month and have since come under heavy exploitation by multiple threat actors to deliver cryptocurrency miners, ransomware, remote access trojans, and stealer malware.

Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to include new tools, the most recent being GoBear and Troll Stealer.

BabyShark, first discovered in late 2018, is launched using an HTML Application (HTA) file. Once launched, the VB script malware exfiltrates system information to a command-and-control (C2) server, maintains persistence on the system, and awaits further instruction from the operator.

Then in May 2023, a variant of BabyShark dubbed ReconShark was observed being delivered to specifically targeted individuals through spear-phishing emails. TODDLERSHARK is assessed to be the latest evolution of the same malware due to code and behavioral similarities.

The malware, besides using a scheduled task for persistence, is engineered to capture and exfiltrate sensitive information about the compromised hosts, thereby acting as a valuable reconnaissance tool.

TODDLERSHARK “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generate C2 URLs, which could make this malware hard to detect in some environments,” the researchers said.

The development comes as South Korea’s National Intelligence Service (NIS) accused its northern counterpart of allegedly compromising the servers of two domestic (and unnamed) semiconductor manufacturers and pilfering valuable data.

The digital intrusions took place in December 2023 and February 2024. The threat actors are said to have targeted internet-exposed and vulnerable servers to gain initial access, subsequently leveraging living-off-the-land (LotL) techniques rather than dropping malware in order to better evade detection.

“North Korea may have begun preparations for its own production of semiconductors due to difficulties in procuring semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellite missiles,” NIS said.

Feb 06, 2024NewsroomDark Web / Cybercrime

Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as ResumeLooters since early 2023 with the goal of stealing sensitive data.

Singapore-headquartered Group-IB said the hacking crew’s activities are geared towards job search platforms and the theft of resumes, with as many as 65 websites compromised between November 2023 and December 2023.

The stolen files are estimated to contain 2,188,444 user data records, of which 510,259 have been taken from job search websites. Over two million unique email addresses are present within the dataset.

“By using SQL injection attacks against websites, the threat actor attempts to steal user databases that may include names, phone numbers, emails, and DoBs, as well as information about job seekers’ experience, employment history, and other sensitive personal data,” security researcher Nikita Rostovcev said in a report shared with The Hacker News.

“The stolen data is then put up for sale by the threat actor in Telegram channels.”

Group-IB said it also uncovered evidence of cross-site scripting (XSS) infections on at least four legitimate job search websites that are designed to load malicious scripts responsible for displaying phishing pages capable of harvesting administrator credentials.

ResumeLooters is the second group after GambleForce that has been found staging SQL injection attacks in the APAC region since late December 2023.

A majority of the compromised websites are based in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, although compromises have also been reported from Brazil, the U.S., Turkey, Russia, Mexico, and Italy.

The modus operandi of ResumeLooters involves the use of the open-source sqlmap tool to carry out SQL injection attacks and drop and execute additional payloads such as the BeEF (short for Browser Exploitation Framework) penetration testing tool and rogue JavaScript code designed to gather sensitive data and redirect users to credential harvesting pages.

The cybersecurity company’s analysis of the threat actor’s infrastructure reveals the presence of other tools like Metasploit, dirsearch, and xray, alongside a folder hosting the pilfered data.

The campaign appears to be financially motivated, given the fact that ResumeLooters have set up two Telegram channels named 渗透数据中心 and 万国数据阿力 last year to sell the information.

“ResumeLooters is yet another example of how much damage can be made with just a handful of publicly available tools,” Rostovcev said. “These attacks are fueled by poor security as well as inadequate database and website management practices.”

“It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks.”

Jan 11, 2024NewsroomVulnerability / Cyber Attack

Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload.

The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (CVE-2023-49070, CVSS score: 9.8) that could be weaponized to bypass authentication and remotely execute arbitrary code.

While it was fixed in Apache OFbiz version 18.12.11 released last month, threat actors have been observed attempting to exploit the flaw, targeting vulnerable instances.

The latest findings from VulnCheck show that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving little to no traces of malicious activity.

Security flaws disclosed in Apache OFBiz (e.g., CVE-2020-9496) have been exploited by threat actors in the past, including by threat actors associated with the Sysrv botnet. Another three-year-old bug in the software (CVE-2021-29200) has witnessed exploitation attempts from 29 unique IP addresses over the past 30 days, per data from GreyNoise.

What’s more, Apache OFBiz was also one of the first products to have a public exploit for Log4Shell (CVE-2021-44228), illustrating that it continues to be of interest to both defenders and attackers alike.

CVE-2023-51467 is no exception, with details about a remote code execution endpoint (“/webtools/control/ProgramExport”) as well as PoC for command execution emerging merely days after public disclosure.

While security guardrails (i.e., Groovy sandbox) have been erected such that they block any attempts to upload arbitrary web shells or run Java code via the endpoint, the incomplete nature of the sandbox means that an attacker could run curl commands and obtain a bash reverse shell on Linux systems.

“For an advanced attacker, though, these payloads aren’t ideal,” VulnCheck’s Chief Technology Officer Jacob Baines said. “They touch the disk and rely on Linux-specific behavior.”

The Go-based exploit devised by VulnCheck is a cross-platform solution that works on both Windows and Linux as well as gets around the denylist by taking advantage of groovy.util.Eval functions to launch an in-memory Nashorn reverse shell as the payload.

“OFBiz is not widely popular, but it has been exploited in the past. There is a fair deal of hype around CVE-2023-51467 but no public weaponized payload, which called into question if it was even possible,” Baines said. “We’ve concluded that not only is it possible, but we can achieve arbitrary in memory code execution.”

Jan 11, 2024NewsroomCybersecurity / Zero-Day

A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers.

Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178. There is evidence to suggest that the VPN appliance may have been compromised as early as December 3, 2023.

The two vulnerabilities that have been exploited in the wild to achieve unauthenticated command execution on the ICS device are as follows –

• CVE-2023-46805 (CVSS score: 8.2) – An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

• CVE-2024-21887 (CVSS score: 9.1) – A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the internet.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” Ivanti said in an advisory.

The company said it has observed attempts on the part of the threat actors to manipulate Ivanti’s internal integrity checker (ICT), which offers a snapshot of the current state of the appliance.

Patches are expected to be released in a staggered manner starting from the week of January 22, 2024. In the interim, users have been recommended to apply a workaround to safeguard against potential threats.

In the incident analyzed by Volexity, the twin flaws are said to have been employed to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”

The attacker further modified a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. In addition, a JavaScript file loaded by the Web SSL VPN login page was altered to log keystrokes and exfiltrate credentials associated with users logging into the device.

“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster said.

The attacks are also characterized by reconnaissance efforts, lateral movement, and the deployment of a custom web shell dubbed GLASSTOKEN via the backdoored CGI file to maintain persistent remote access to the external-facing web servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert of its own, said it has added the two shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by January 31, 2024.

“Internet-accessible systems, especially critical devices like VPN appliances and firewalls, have once again become a favorite target of attackers,” Volexity said.

“These systems often sit on critical parts of the network, cannot run traditional security software, and typically sit at the perfect place for an attacker to operate. Organizations need to make sure they have a strategy in place to be able to monitor activity from these devices and quickly respond if something unexpected occurs.”

Jan 03, 2024NewsroomMalware / Data Theft

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

• When the user is logged in with the browser, in which case the token can be used any number of times.

• When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.

• If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)

Dec 22, 2023NewsroomMalware / Cyber Attack

The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE.

“The threat actor targets Ukrainian employees working for companies outside of Ukraine,” cybersecurity firm Deep Instinct said in a Thursday analysis.

UAC-0099 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives.

The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of LONEPAGE, a Visual Basic Script (VBS) malware that’s capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware.

“During 2022-2023, the mentioned group received unauthorized remote access to several dozen computers in Ukraine,” CERT-UA said at the time.

The latest analysis from Deep Instinct reveals that the use of HTA attachments is just one of three different infection chains, the other two of which leverage self-extracting (SFX) archives and bobby-trapped ZIP files. The ZIP files exploit the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to distribute LONEPAGE.

In the former, the SFX file houses an LNK shortcut that’s disguised as a DOCX file for a court summons while using the icon for Microsoft WordPad to entice the victim into opening it, resulting in the execution of malicious PowerShell code that drops the LONEPAGE malware.

The other attack sequence uses a specially crafted ZIP archive that’s susceptible to CVE-2023-38831, with Deep Instinct finding two such artifacts created by UAC-0099 on August 5, 2023, three days after WinRAR maintainers released a patch for the bug.

“The tactics used by ‘UAC-0099’ are simple, yet effective,” the company said. “Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file.”

The development comes as CERT-UA warned of a new wave of phishing messages purporting to be outstanding Kyivstar dues to propagate a remote access trojan known as Remcos RAT. The agency attributed the campaign to UAC-0050.