Werewolf Hackers Exploiting WinRAR Vulnerability To Deploy RingSpy Backdoor

Active since 2023, the Mysterious Werewolf cluster has shifted targets to the military-industrial complex (MIC) by using phishing emails with a weaponized archive. 

The archive contains a seemingly legitimate PDF document along with a malicious CMD file, and when the victim opens the archive and double-clicks the PDF, the CMD file executes, deploying the RingSpy backdoor onto the compromised system. 

Malware replaces the Athena agent of the Mythic framework, a strategy that Mysterious Werewolf previously employed in earlier campaigns. 

- Advertisement -

An attacker known as Mysterious Werewolf is employing phishing emails laced with malicious archives that exploit the CVE-2023-38831 vulnerability in WinRAR to execute code.

Tactics have shifted, with the Athena agent being swapped for the RingSpy backdoor written in Python, where the group utilizes legitimate services to maintain control of compromised systems, using a Telegram bot as a command and control server.  

A malicious archive exploited a vulnerability in WinRAR (CVE-2023-38831) to launch a VBScript, downloading a malicious batch file (.vbs and 1.bat) by retrieving a download link from Yandex.

Disk resource using a cURL command with OAuth credentials and then downloaded another batch file (i.bat) using the retrieved link, and after downloading the script, deleted the link file and executed the downloaded batch file through another VBScript call. 

Both the initial script (1.bat) and the downloaded script (i.bat) self-deleted after execution. The script first checks for an existing file to prevent re-installation and then retrieves a download link, downloads a decoy PDF, opens it, and deletes the link.

Next, it downloads the Python installer from the official website based on a predefined version, extracts it to a hidden local folder, and sets a configuration file to specify search paths for Python modules. 

Then it downloads the pip installer within the Python folder, uses pip to install additional libraries (requests and schedules), and cleans up by deleting the temporary installer script. 

An attacker is deploying a RingSpy backdoor using the Yandex Cloud API and a Python script, which is downloaded and executed through a VBScript file (.vbs) placed in the startup folder and the localAppData folder. 

The backdoor allows remote command execution, downloads files, and sends results to a Telegram bot through a control server. The script can also be scheduled to run every minute using PowerShell.

The downloaded files are saved in a specific folder, and network requests are made to the Telegram bot’s API to send data.  

According to Bi.zone, the attacker likely gained initial access by sending a spearphishing email with an attachment. Once in, they used PowerShell, command prompts, VBScript, and Python to execute malicious code. 

They potentially exploited a WinRAR vulnerability (CVE-2023-38831) for further execution. To maintain persistence, they used scheduled tasks and startup folders. 

The attacker also attempted to evade defenses by deleting files and used techniques like file transfer and a Telegram bot for command and control.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.