Saturday, July 20, 2024

Werewolf Hackers Exploiting WinRAR Vulnerability To Deploy RingSpy Backdoor

Active since 2023, the Mysterious Werewolf cluster has shifted targets to the military-industrial complex (MIC) by using phishing emails with a weaponized archive. 

The archive contains a seemingly legitimate PDF document along with a malicious CMD file, and when the victim opens the archive and double-clicks the PDF, the CMD file executes, deploying the RingSpy backdoor onto the compromised system. 

Malware replaces the Athena agent of the Mythic framework, a strategy that Mysterious Werewolf previously employed in earlier campaigns. 

An attacker known as Mysterious Werewolf is employing phishing emails laced with malicious archives that exploit the CVE-2023-38831 vulnerability in WinRAR to execute code.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Tactics have shifted, with the Athena agent being swapped for the RingSpy backdoor written in Python, where the group utilizes legitimate services to maintain control of compromised systems, using a Telegram bot as a command and control server.  

A malicious archive exploited a vulnerability in WinRAR (CVE-2023-38831) to launch a VBScript, downloading a malicious batch file (.vbs and 1.bat) by retrieving a download link from Yandex.

Downloading the file using the received link

Disk resource using a cURL command with OAuth credentials and then downloaded another batch file (i.bat) using the retrieved link, and after downloading the script, deleted the link file and executed the downloaded batch file through another VBScript call. 

Both the initial script (1.bat) and the downloaded script (i.bat) self-deleted after execution. The script first checks for an existing file to prevent re-installation and then retrieves a download link, downloads a decoy PDF, opens it, and deletes the link.

Distracting document

Next, it downloads the Python installer from the official website based on a predefined version, extracts it to a hidden local folder, and sets a configuration file to specify search paths for Python modules. 

Then it downloads the pip installer within the Python folder, uses pip to install additional libraries (requests and schedules), and cleans up by deleting the temporary installer script. 

Downloading the Python interpreter

An attacker is deploying a RingSpy backdoor using the Yandex Cloud API and a Python script, which is downloaded and executed through a VBScript file (.vbs) placed in the startup folder and the localAppData folder. 

The backdoor allows remote command execution, downloads files, and sends results to a Telegram bot through a control server. The script can also be scheduled to run every minute using PowerShell.

The downloaded files are saved in a specific folder, and network requests are made to the Telegram bot’s API to send data.  

Obtaining and running the pip installer

According to, the attacker likely gained initial access by sending a spearphishing email with an attachment. Once in, they used PowerShell, command prompts, VBScript, and Python to execute malicious code. 

They potentially exploited a WinRAR vulnerability (CVE-2023-38831) for further execution. To maintain persistence, they used scheduled tasks and startup folders. 

The attacker also attempted to evade defenses by deleting files and used techniques like file transfer and a Telegram bot for command and control.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles