Bi.Zone said that the Paper Weerwolf delivered the exploits in July and August through archives associated with e-mails that occur as employees of the All-Russian Research Institute. The ultimate goal was to install malware that gave paper werewolf access to infected systems.
Although the discoveries by ESET and BI.Zone were independent of each other, it is unknown whether the groups that exploit the vulnerabilities are connected or the knowledge of the same source has been acquired. Bi.zone speculated that Paper Wewolf may have obtained the vulnerabilities in a Dark Market Crime Forum.
ESET said the attacks that followed the observed three execution chains. One chain, used in attacks on a specific organization, carried out a malignant DLL file that is hidden in an archive using a method known as COM -Caping that ensured that it was performed by certain apps such as Microsoft Edge. It looked like this:
Illustration of the implementing chain that mythical agent installs.
Credit: ESET
Illustration of the implementing chain that mythical agent installs.
Credit: ESET
The DLL file in the archive decoded shellcode, which then pick up the domain name for the current machine and compare it with a hard code value. When the two matches, the Shellcode installed a custom copy of the operating framework of the mythical agent.
A second necklace ran a malignant Windows to deliver a last Payload installation -Snipbot, a well -known Romcom -Malware piece. It blocked some attempts to be analyzed forensically by terminating when opened in an empty virtual machine or sandbox, a practice that is common among researchers. A third chain used two other known pieces of Romcom -Malware, a known as Rustyclaw and the other melting claw.
Winrar vulnerabilities have been used earlier to install malware. One vulnerability for code execution of 2019 in 2019 in 2019 was broad exploitation shortly after he was patched. In 2023 a Winrar Zero-Day was operated for more than four months before the attacks were detected.
In addition to its huge user base, Winrar makes a perfect vehicle for spreading malware because the utility does not have an automated mechanism for installing new updates. This means that users have to actively download and install patches themselves. What is more, ESET said that Windows versions of the commissioning utensils Unrar.dll and the portable Unrar broncode are also vulnerable. Before 7.13, people must remain away from all Winrar versions, which was the most up -to -date when this post went live. It has solutions for all known vulnerabilities, although, given the seemingly endless stream of Winrar Zero-Days, it is not really a certainty.
