Arming WinRAR deep dive into APTs exploiting WinRAR's 0 day vulnerability – a SideCopy case study

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-Arming-WinRAR-deep-dive-into-APTs-exploiting-WinRARs-0-day-vulnerability-a-SideCopy-case-study.pdf ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/Arming-WinRAR-deep-dive-into-APTs-exploiting-WinRARs-0-day-vulnerability-a-SideCopy-case-study.pdf → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/arming-winrar-deep-dive-apts-exploiting-winrars-0-day-vulnerability-sidecopy-case-study/ ✪ PRESENTED BY ✪ • Sathwik Ram Prakki (Quick Heal) ✪ ABSTRACT ✪ In the aftermath of the disclosure of vulnerabilities within WinRAR, a concerning trend has emerged wherein multiple advanced persistent threat (APT) groups and malicious actors have leveraged these weaknesses to launch targeted attacks on critical sectors spanning various nations. This presentation delves into the exploitation of a specific WinRAR vulnerability, CVE-2023-38831, offering insights into the vulnerability and the tactics employed by threat actors who disseminate malicious ZIP archives through phishing campaigns. Focusing on a notable case study involving the SideCopy APT, this talk explores the intricacies of how WinRAR is weaponized to compromise the security of entities in India. The examination includes a detailed dissection of payloads such as AllaKore RAT, DRat, Key RAT, Double Action and Ares RAT, strategically deployed in a sophisticated multi-platform attack campaign featuring diverse decoys and a consistent naming convention. Furthermore, this presentation sheds light on the discovery of the infrastructure utilized by SideCopy APT, revealing insights into the group's modus operandi. Specific aspects of interest include the systematic reuse of IP addresses across multiple campaigns throughout the year, the utilization of various compromised domains as hosts for payloads, and the identification of shared code with the parent APT group Transparent Tribe (APT36).