Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT

MITRE Techniques

• [T1203] Exploitation for Client Execution – The WinRAR CVE-2023-40477 vulnerability allows an attacker to execute code on a system that opens a malicious file. ‘The CVE-2023-40477 vulnerability in WinRAR allows an attacker to execute code on a system that opens a malicious file.’
• [T1204.002] User Execution – The fake PoC is designed to be run by targets and leads to a VenomRAT payload; ‘The fake PoC meant to exploit this WinRAR vulnerability was based on publicly available PoC code… will install a VenomRAT payload.’
• [T1059.001] PowerShell – The batch script downloads and executes a PowerShell script from a remote URL; ‘The batch script hosted at the URL above runs an encoded PowerShell script that will download another PowerShell script from checkblacklistwords[.]eu/c.txt.’
• [T1105] Ingress Tool Transfer – The PoC adds code that downloads an executable from remote sources (checkblacklistwords[.]eu/words.txt) and runs it; ‘downloads an executable from checkblacklistwords[.]eu/words.txt’.
• [T1053.005] Scheduled Task – A scheduled task named Windows.Gaming.Preview is created to run the payload every three minutes; ‘creates a scheduled task named Windows.Gaming.Preview that runs the executable every three minutes to persistently run the payload.’
• [T1057] Process Discovery – The analysis notes running processes related to the attack; ‘Table 2 shows … running processes.’
• [T1056.001] Keylogging – The VenomRAT variant includes keylogging functionality; ‘logs keystrokes to %APPDATA%MyDataDataLogs_keylog_offline.txt.’
• [T1041] Exfiltration – The malware uploads the offline keylogger file back to the C2 channel; ‘Uploads the offline key logger file from %APPDATA%MyDataDataLogs_keylog_offline.txt.’
• [T1071.001] Web Protocols – The malware uses HTTP-based C2 communications and a domain-based loader; ‘The Windows.Gaming.Preview.exe communicates with its C2 server’ and ‘checkblacklistwords[.]eu’ domains/URLs.