New ADP-Branded Phishing Campaign Attempts Exploit of Old WinRAR Vulnerability
ConnectWise
A platform of software & services built for TSPs. Follow us for product updates, company news, business advice and more.
By: Diara D.
The ConnectWise CRU recently became aware of a phishing campaign impersonating the company ADP, which is a provider of HR, payroll, and tax services. For this campaign, the threat actor used fake login pages that led to the download of ZIP archives that attempt to exploit a vulnerability in older WinRAR versions (CVE-2023-38831 ) and eventually leads to the injection of Vidar stealer malware.
The CRU first observed the download of a ZIP archive named “Automatic_Data_Processing_Terms_and_Conditions.rar” originating from hxxps[:]//adp-auth[.]com/, a recently registered domain. Examining the homepage for this site, it does not appear to be related to ADP but instead a fake technology company named KXSDU.
Things get more interesting when looking at hxxps[:]//adp-auth[.]com/land/. This page appears to be a login portal for ADP customers, suggesting to the user to enter their credentials. However, once any text (or nothing at all) is submitted using the “Sign in” button, the user is redirected to another page concerning a terms of use update.
The messaging states that the user needs to download an archive that contains an updated version of ADP’s Terms and Conditions. It also claims that the user will need to confirm that they have reviewed the terms by clicking on a link at the end of the file. Clicking on the Download button initiates the download of the “Automatic_Data_Processing_Terms_and_Conditions.rar” file.
Once the RAR file is downloaded, the contents can be extracted or viewed using the file archiving tool WinRAR. However, reviewing the contents, we see that the archive contains both a folder and a file of the same name. If this looks unusual, it’s because it is. The threat actor is attempting to exploit CVE-2023-38831, a vulnerability that targets WinRAR versions prior to 6.23. The vulnerability allows for arbitrary code to be executed when a user tries to open a benign file (here the PDF file) in the archive. When the file has the same name as a folder in the archive, the contents of the folder (which may be malicious) can be triggered to execute when the user clicks on the benign file.
As seen below, the PDF file is indeed a decoy file and appears to be a version of ADP’s Binding Corporate Rules Glossary that was renamed by the threat actor when crafting the payload. It should also be noted that there is no link to click at the bottom of the file as was indicated in the warning on the download page.
Looking deeper into the “PDF” folder reveals two additional files: a LOGO file and a Windows Command Script file that has a similar name to the decoy PDF.
Examining the LOGO file using hex dump, we can see that this is an executable file as evidenced by the magic bytes “MZ” in the file header.
When the Windows Command Script file is opened in a text editor, we can see more of the malicious intent. The batch script opens the PDF file, renames “adp.logo” to “adp.exe,” and then proceeds to execute “adp.exe.” So, if a user is using a vulnerable version of WinRAR and clicks on the benign PDF file to open it, this batch script would run the malicious executable.
Upon further analysis, it was found that the “adp.exe” executable is a Go-based loader. It will traverse the C:\Windows directory attempting to find a target for process hollowing. Once it finds a suitable binary, it executes the binary and injects Vidar stealer into it to collect sensitive information to exfiltrate.
Threat actors are continually trying to find new (and old) ways to trick users into helping deploy malware into enterprise environments. To combat these techniques, ensure that known exploited vulnerabilities in common software utilities like WinRAR are mitigated promptly with patches or updates, train users to be vigilant before entering credentials into suspicious sites or downloading files from unknown sources, and consider using an antivirus or EDR solution that can detect unusual behavior or block known malicious files before they can be executed.
IOCs
Automatic_Data_Processing_Terms_and_Conditions.rar
e52adcbe177f6aef09ec7d9b26bd4eafee1a8d5310055d2b6990cdb61bb764b5
ab9f7d80c6e1517e0238a7c06caa8cc32ed17ca4b59064f26436d6b6d22bbc2f
eb7ce0d25112877699059bee4a84671f7fd61e42ef8129333ca2d8fe161cd1cb
Automatic Data Processing, Inc. Terms and Conditions.pdf
3c5fa02f102a90c9e3d75c20c0842936480c22fd26240809eb7a540af55b2f25
Automatic Data Processing, Inc. Terms and Conditions.pdf .cmd
83cc34f61d5bf1a858f863846d181d4fa5a0fd6f0d87a75b8b3cf8fb7e7520f0
adp.logo
feff39c5c12594aaafe5e682f4071485082ae67fa64170726c8047a1ad328889
99772db88f820f7cca9ea67dbd796bc3943318ade3713bc2815e00413ca8b1a8
81d67826413fb14ba6a336347fb8a394254d630c17fa16be67047b994ec0c865
Fake ADP Domains
adp-auth[.]com
adp-welcome[.]com
adp-login[.]com
welcome-adp[.]com
IP Address
147.45.47.80
Threat Intelligence Evangelism Director, CW Cyber Research Unit, OSCP, MAD ATT&CK CTI
1 周I want to thank Diara Dankert from the CRU who did the research and put this report together.
??starting my IT journey ??
1 周Thanks for sharing this important alert! It’s always alarming to see old vulnerabilities resurface, especially in a phishing campaign leveraging a trusted brand like ADP. This serves as a strong reminder for organizations to keep security patches updated, even for software that may seem "old" or peripheral. Phishing attacks are only getting more sophisticated, and targeting common tools like WinRAR shows attackers’ evolving strategies to bypass detection. Staying informed on these trends and regularly educating teams on phishing tactics is essential. Thanks again for the insights – awareness is our first line of defense!