Cyble CRIL identifies a spear-phishing campaign against a Russian semiconductor supplier that exploits the WinRAR CVE-2023-38831 vulnerability to drop the Mythic Athena agent. Athena, a Mythic C2 agent, provides a broad set of post-exploitation commands for remote control, with the attacker’s identity currently unknown. #AthenaAgent #MythicC2 #CVE-2023-38831 #GhostWriter #APT36
Keypoints
- CRIL detected a targeted spear-phishing email aimed at a leading Russian semiconductor supplier.
- The attack leverages the WinRAR CVE-2023-38831 vulnerability to deliver a second-stage payload.
- The second-stage payload is the Mythic Agent “Athena,” a cross-platform agent designed to work with Mythic C2.
- Athena provides a wide range of pre-installed and custom commands for system discovery, credential access, and remote control.
- Mythic Agents have been observed in prior operations (e.g., APT-36’s Poseidon), but the actor behind this campaign remains unidentified.
- The campaign includes a multi-stage workflow: spear phishing → WinRAR exploit → CMD/PowerShell execution → download of Athena → C2 via Mythic and Discord channel.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing emails with attachments used to deliver the WinRAR exploit. “CRIL came across a spear-phishing email targeting a leading Russian semiconductor supplier.”
- [T1203] Exploitation for Client Execution – Exploitation of the WinRAR vulnerability to trigger execution of a malicious script when a benign file is opened. “‘This vulnerability allows the WinRAR application to extract and execute the malicious script when a user tries to open a benign file within the archive.’”
- [T1059] Command and Scripting Interpreter – cmd.exe is used to run a CMD malicious script file. “‘cmd.exe is used to run a CMD malicious script file’”
- [T1059.001] PowerShell – PowerShell commands are used to download and execute additional payloads on the system. “‘PowerShell commands are used to download and execute additional payloads on the system’”
- [T1053.005] Scheduled Task – Schedules a task to run the downloaded executable every 10 minutes via Windows Task Scheduler (‘aimp2’).
- [T1547.001] Registry Run Keys / Startup Folder – Malicious startup persistence indicated in the analysis. “Malware adding run entry/Startup for persistence.”
- [T1036.006] Masquerading – Adding Space after Filename. “Adding Space after Filename”
- [T1036.007] Masquerading – Adding Double File Extension. “Adding Double File Extension”
- [T1005] Data from Local System – The malware collects sensitive data from victim’s system.
- [T1437.001] Application Layer Protocol: Web Protocols – Communicated with C&C server using HTTP.
- [T1041] Exfiltration Over C2 Channel – Exfiltration Over C2 Channel.
Indicators of Compromise
- [SHA256] Phishing Email – 0fead8db0ee27f906d054430628bd8fd3b09ca75ff6067720a5b179f6a674c12
- [SHA256] Malicious RAR File – 5261425cf389ed3a77ec5f03f73daf711e80d4918be3f0fba0152b424af7b684
- [SHA256] Malicious RAR File – 17269514f520cda20ecc78bdb0b3341a97bb03e155640704a87efff832555b14
- [SHA256] Malicious .cmd File – 07f8af85b8bbfb432d98b398b4393761c37596ee2cf3931564784bd3e8c2b1cc
- [SHA256] Malicious .cmd File – 79c78466d61b05466289f91122d2b7dbd56e895c15fe80d385885f9eddf31ca5
- [IP] Malicious IP – 45.142.212.34
- [SHA256] Athena – Mythic Agent – 86079a2d12b28a340281453efa0a7fd31c65ead11bab98edd94fe19aaff436eb
- [IP] Malicious Discord IP – 162.159.137.232
- [IP] Malicious Discord IP – 162.159.129.233
- [IP] Malicious Discord IP – 162.159.122.233
- [IP] Malicious Discord IP – 162.159.128.233
- [SHA256] Malicious RAR File – 17269514f520cda20ecc78bdb0b3341a97bb03e155640704a87efff832555b14