State-Backed Hackers Exploit WinRAR Vulnerability: A Google TAG Report

October 18, 2023

Google's Threat Analysis Group (TAG) has discovered that multiple state-sponsored hacking groups are taking advantage of a severe vulnerability in WinRAR, a widely-used compression software, to execute arbitrary code on victims' systems. The vulnerability, known as CVE-2023-38831, has been targeted by state-sponsored hackers from various countries, including the Sandworm, APT28, and APT40 threat groups from Russia and China.

In a statement, Google said, "In recent weeks, Google's Threat Analysis Group's (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows." Despite the availability of a patch, many users remain vulnerable.

The Sandworm hacking group from Russia used this vulnerability to deliver the Rhadamanthys infostealer malware in a phishing campaign that involved fake invitations to a Ukrainian drone training school. Another Russian group, ATP28, exploited the same vulnerability to target Ukrainian users through servers provided by a free hosting provider. They used a malicious PowerShell script known as IRONJAW to steal browser credentials.

The APT40 group, based in China, also exploited the WinRAR vulnerability in attacks against targets in Papua New Guinea. They used malware known as ISLANDSTAGER and BOXRAT to maintain persistence on the compromised systems.

The CVE-2023-38831 flaw in WinRAR has been actively exploited since at least April 2023, allowing attackers to execute code on their targets' systems by tricking them into opening malicious RAR and ZIP archives containing decoy files. Various types of malware payloads, including DarkMe, GuLoader, and Remcos RAT, have been delivered using this bug.

Researchers at Group-IB found instances of this vulnerability being exploited on cryptocurrency and stock trading forums. The attackers impersonated enthusiasts and shared trading strategies with unsuspecting victims. Shortly after Group-IB disclosed their findings, proof of concept exploits started appearing on public GitHub repositories, leading to what Google TAG describes as CVE-2023-38831 "testing activity" by financially motivated hackers and APT groups.

Other cybersecurity companies have also linked this WinRAR exploit to several other threat groups, including DarkPink (NSFOCUS) and Konni (Knownsec). The zero-day was fixed with the release of WinRAR version 6.23 on August 2, which also resolved several other security flaws, including CVE-2023-40477.

Google highlighted the effectiveness of exploiting known vulnerabilities, even when patches are available, and emphasized the importance of patching. They stated, "These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date."

Related News

• Pro-Russian Cybercriminals Exploit WinRAR Vulnerability in New Phishing Campaign
• VenomRAT Malware Disguised as WinRAR Exploit on GitHub
• Ukraine's CERT Foils APT28 Cyberattack Aimed at Energy Infrastructure
• ClamAV Exposed to WinRAR Code Execution Vulnerability (CVE-2023-40477)
• CISA Mandates Immediate Patching for Two Actively Exploited Vulnerabilities

Latest News

• Citrix NetScaler Vulnerability Exploited as Zero-Day since August
• Unpatched Zero-Day Vulnerability Compromises Over 10,000 Cisco IOS XE Systems
• Severe Vulnerabilities Detected in Milesight Routers and Titan SFTP Servers
• Cisco Alerts on Active Exploitation of New IOS XE Zero-Day Vulnerability
• Urgent Call from CISA, FBI to Patch Atlassian Confluence Over Severe Vulnerability