Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – Earth Dahu delivered malicious RAR archives through email attachments (‘Emails with RAR archives impersonating Ukrainian judicial correspondence’).
• [T1204.002 ] User Execution: Malicious File – Victims had to open the archive and decoy document to trigger the hidden payload chain (‘Once the victim opens the archive, no further interaction is needed’).
• [T1059.001 ] PowerShell – SHADOW-EARTH-066 launched hidden PowerShell to read and execute the staged loader (‘cmd.exe /c start /min “” powershell -NoPr -Win Hidd -Ex Bypass’).
• [T1547.001 ] Startup Folder – Both campaigns used the Startup folder for persistence or delayed execution (‘the files execute’ from the Startup folder on next login).
• [T1564.004 ] NTFS File Attributes – WinRAR abused NTFS Alternate Data Streams to hide and write files outside the extraction directory (‘hidden ADS payloads that use path traversal’).
• [T1027 ] Obfuscated Files or Information – SHADOW-EARTH-066 used obfuscated PowerShell scripts and encoded payloads (‘Heavily obfuscated scripts … junk comment lines’).
• [T1620 ] Reflective Code Loading – The loader decoded and loaded a DLL entirely in memory (‘the decoded DLL is never written as a file’).
• [T1036 ] Masquerading – Decoy PDFs and spoofed document themes were used to appear legitimate (‘a court summons … or a defense ministry document’).
• [T1497 ] Virtualization/Sandbox Evasion – The stealer added sleep calls and timing delays to evade analysis (‘Sleep-based anti-sandbox calls’).
• [T1070.004 ] File Deletion – After exfiltration, the malware removed staging artifacts (‘DeleteFileW calls remove the remaining files’).
• [T1555.003 ] Credentials from Web Browsers – The stealer collected browser passwords and master keys (‘harvests browser passwords, session cookies’).
• [T1539 ] Steal Web Session Cookie – It extracted session cookies from Chromium-based browsers and Firefox (‘collects … cookies per profile’).
• [T1005 ] Data from Local System – The malware searched local folders for documents and sensitive files (‘scans the victim’s Documents, Downloads, and TEMP directories’).
• [T1041 ] Exfiltration Over C&C Channel – Stolen data was sent to dedicated servers over HTTPS POST (‘sent via HTTPS POST … to the /rcv/ path’).
• [T1071.001 ] Web Protocols – Command and control traffic used HTTP/HTTPS for connectivity checks and exfiltration (‘sends an HTTP GET … then sent via HTTPS POST’).
• [T1573.001 ] Encrypted Channel – SHADOW-EARTH-066 protected URLs and stolen data with RC4 before transmission (‘C&C URLs are RC4-encrypted in the binary’).
• [T1485 ] Data Destruction – Earth Dahu’s chain included destructive behavior through a wiper component (‘ClearSky … reported a Wiper component delivered through this chain’).