Cyble researchers uncovered a WinRAR CVE-2023-38831 abuse campaign delivering Apanyan Stealer, Murk-Stealer, and AsyncRAT to illicit-content consumers. The campaign starts with a deceptive RAR archive that triggers CMD/PowerShell-driven payloads and ends with multiple malware families running on the victim’s system. #WinRAR #CVE-2023-38831 #ApanyanStealer #MurkStealer #AsyncRAT #KiwiGrabber
Keypoints
- CRIL found a RAR file that can propagate via adult sites and fake adult sites.
- Threat actors exploit CVE-2023-38831 in WinRAR to execute a CMD file that downloads a BAT file.
- The BAT downloader fetches a PowerShell grabber that exfiltrates data and downloads Apanyan Stealer.
- The BAT also downloads and runs Murk-Stealer and AsyncRAT, expanding the attack surface.
- The PowerShell grabber collects extensive system data, captures screenshots, and searches for sensitive files (Kiwi Grabber) for exfiltration to a C2.
- The campaign uses anti-VM/anti-debug techniques, file-extension spoofing, and multi-stage decoding to hide stealer code.
MITRE Techniques
- [T1566] Phishing – The malware reaches users via Adult sites. – “This malware reaches users via Adult sites.”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Brief description of how it was used. Quote: “cmd.exe are used to download the first stage payload.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – Brief description of how it was used. Quote: “PowerShell commands are used to download the next stage payload.”
- [T1047] Windows Management Instrumentation – Brief description of how it was used. Quote: “Queries various information from victim’s system”
- [T1547.001] Registry Run Keys/Startup Folder – Brief description of how it was used. Quote: “PowerShell creates an AutoStart link.”
- [T1497] Virtualization/Sandbox Evasion – Brief description of how it was used. Quote: “Performing Anti-VM/Anti-Debug technique for evasion.”
- [T1562.001] Disable or Modify Tools – Brief description of how it was used. Quote: “The malware scans for VM and Debugger-related processes and terminates them.”
- [T1036.008] Masquerading – Brief description of how it was used. Quote: “Download files with a non-matching file extension (content does not match to file extension).”
- [T1112] Modify Registry – Brief description of how it was used. Quote: “Uses reg.exe to modify the Windows registry.”
- [T1057] Process Discovery – Brief description of how it was used. Quote: “Queries a list of all running processes.”
- [T1012] Query Registry – Brief description of how it was used. Quote: “The malware is examining the registry to extract system details.”
- [T1082] System Information Discovery – Brief description of how it was used. Quote: “The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC.”
- [T1518.001] Security Software Discovery – Brief description of how it was used. Quote: “May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory).”
- [T1071] Application Layer Protocol – Brief description of how it was used. Quote: “The malware uses TCP to interact with the C&C server.”
- [T1105] Ingress Tool Transfer – Brief description of how it was used. Quote: “The malware has the ability to download files from C&C”
Indicators of Compromise
- [File Names] context – 11yo_hard_[redacted].rar, luna_12yo.rar
- [File Hashes] context – 11yo_hard_[redacted].rar MD5: 2a156fc93f1b133ff6f50df24a4e5faa; SHA1: 0863dffc2a670fde374b06df0b88e270f93bbd6e; SHA256: c1bc860ba34dc239e58067bc23de9987020d13c48499422352f93a7ee0feb1d8
- [File Hashes] context – luna_12yo.rar MD5: 416f600c19d252b601218eceedb782c9; SHA1: 971b3e634775606f76c9ed752ab99b51b74a8b4a; SHA256: 0095db1c353db11718c24d1af5d61f9a90638a4165c86777508f8c73b7af9d15
- [URLs] context – hxxps://raw[.]githubusercontent[.]com/MisericordeXHD/winrar/main/payload[.]cmd, hxxps://raw[.]githubusercontent[.]com/MisericordeXHD/winrar/main/helper[.]ps1
- [URLs] context – hxxps://github[.]com/MisericordeXHD/winrar/raw/main/main[.]exe, hxxps://files[.]catbox[.]moe/5v4rjb[.]png