Russian Hackers Exploit WinRAR Zero-Day Vulnerability
RomCom Hackers Exploit WinRAR Zero-Day to Deploy Malware in Targeted Attacks
Table of Contents
RomCom, a threat group with ties to Russian interests, has been observed exploiting a recently patched zero-day vulnerability in WinRAR to deliver malware in highly targeted cyberespionage campaigns. Eset researchers alerted WinRAR developers, who published a patch on July 31st to address the flaw. this marks at least the third time RomCom has leveraged a zero-day exploit in the wild, demonstrating a consistent focus on acquiring and utilizing exploits for focused attacks.
RomComS Evolving Tactics and Geopolitical alignment
Previously known for ransomware deployment, RomCom (also tracked as Storm-0978, Tropical Scorpius, and UNC2596) shifted towards cyberespionage following Russia’s 2022 invasion of Ukraine, operating alongside conventional cybercrime activities. The group’s latest campaign targets sectors aligning with the interests of Russian-aligned Advanced Persistent threat (APT) groups, suggesting a clear geopolitical motivation.
Eset researchers emphasize the sophistication of the attacks, noting the group’s proactive reconnaissance efforts to ensure highly targeted email delivery. This level of preparation underscores RomCom’s dedication to successful compromise.
Exploiting the WinRAR Vulnerability: A Deep Dive
The attacks begin with deceptively crafted phishing emails disguised as job applications. Hackers exploit the alternate data stream (ADS) attribute within the Windows NTFS file system. This allows them to embed malicious code within files that WinRAR automatically unpacks.To further conceal their payloads, attackers utilize multiple ADS entries containing dummy data and invalid paths.
This technique bypasses traditional security measures and allows for stealthy malware deployment. The exploitation of ADS is a key indicator of compromise in these attacks.
Infection Chains and Malware Deployed
Researchers have identified three distinct infection chains used in this campaign, each deploying different malware families:
Mythic Agent Deployment
This chain involves executing a DLL via Component object Model (COM) hijacking, a technique that manipulates how Windows locates and loads COM objects. The malicious script retrieves the domain name of the targeted machine – typically the company name – and compares it against a hardcoded value. If the values don’t match, the script terminates, confirming pre-attack reconnaissance to ensure precise targeting. The infection culminates in the loading of Mythic,a popular open-source red teaming platform.
Snipbot Variant delivery
This infection path utilizes a malicious LNK file that launches a compromised version of PuTTY, a widely used secure shell terminal. The tampered PuTTY instance loads shellcode identified as a variant of SnipBot,malware previously attributed to romcom by Unit 42 at Palo Alto Networks. https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
RustyClaw and MeltingClaw Deployment
Another malicious LNK file initiates the deployment of RustyClaw, a downloader that subsequently drops a second downloader partially matching malware dubbed MeltingClaw by Proofpoint, who also attribute it to RomCom. https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader
Wider Exploitation of the WinRAR Flaw
romcom isn’t the only threat actor exploiting this WinRAR vulnerability. Moscow-based security firm Bi.zone reports that another group, tracked as Paper Werewolf and Goffee, is also leveraging the flaw to target companies within Russia. https://bi.zone/expertise/blog/paper-werewolf-atakuet-rossiyu-s-ispolzovaniem-uyazvimosti-nulevogo-dnya-v-winrar/
The rise of Job Impersonation Phishing
The use of job impersonation as a phishing tactic, once primarily associated with North Korean hackers, is now widespread. Cybercriminals globally are adopting this method to lure victims. This highlights the evolving sophistication of phishing campaigns and the need for heightened vigilance. (See