BI.ZONE reported that a group called Paper Werewolf delivered malware exploits via emails pretending to be from employees of the All-Russian Research Institute. Their aim was to install malware that would allow them to access infected systems.
Both ESET and BI.ZONE discovered these attacks independently. However, it remains unclear if the groups responsible for the exploits are linked or obtained their knowledge from the same source. BI.ZONE suspects that Paper Werewolf might have acquired these vulnerabilities from dark web crime forums.
ESET revealed that the attacks followed three main paths. One path targeted a specific organization by executing a malicious DLL file hidden in an archive. This method, known as COM hijacking, allowed the malware to execute through applications like Microsoft Edge. The process involves the DLL file decrypting hidden shellcode, which then checks the machine’s domain name against a hardcoded value. If they match, it installs a version of the Mythic Agent framework.
The second execution chain delivered a malicious Windows application that installed SnipBot, a type of RomCom malware. SnipBot has a clever design that can avoid forensic analysis by terminating if run in a sandbox environment. The third chain utilized two other types of RomCom malware, RustyClaw and Melting Claw.
Historically, vulnerabilities in WinRAR have been a common target for malware. A significant code-execution vulnerability was exploited soon after it was patched in 2019. In 2023, a zero-day vulnerability in WinRAR went unacknowledged for over four months, exposing many users to potential attacks.
One reason WinRAR is often targeted is that it lacks an automatic update feature. Users must manually download and install updates. ESET warned that older versions of WinRAR and its associated command line tools, like UnRAR.dll, are also vulnerable. To stay safe, users should upgrade to at least version 7.13, which fixes known issues. Nonetheless, the ongoing emergence of new vulnerabilities means that even this may not guarantee complete safety.
In light of these threats, experts stress the importance of staying updated on software changes and vulnerabilities. For instance, a recent survey found that nearly 70% of cybersecurity professionals believe that outdated software is one of the top causes of breaches. Keeping software updated is crucial in today’s digital landscape.
