Google's Threat Analysis Group (TAG) has discovered that multiple state-sponsored hacking groups are taking advantage of a severe vulnerability in WinRAR, a widely-used compression software, to execute arbitrary code on victims' systems. The vulnerability, known as CVE-2023-38831, has been targeted by state-sponsored hackers from various countries, including the Sandworm, APT28, and APT40 threat groups from Russia and China.
In a statement, Google said, "In recent weeks, Google's Threat Analysis Group's (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows." Despite the availability of a patch, many users remain vulnerable.
The Sandworm hacking group from Russia used this vulnerability to deliver the Rhadamanthys infostealer malware in a phishing campaign that involved fake invitations to a Ukrainian drone training school. Another Russian group, ATP28, exploited the same vulnerability to target Ukrainian users through servers provided by a free hosting provider. They used a malicious PowerShell script known as IRONJAW to steal browser credentials.
The APT40 group, based in China, also exploited the WinRAR vulnerability in attacks against targets in Papua New Guinea. They used malware known as ISLANDSTAGER and BOXRAT to maintain persistence on the compromised systems.
The CVE-2023-38831 flaw in WinRAR has been actively exploited since at least April 2023, allowing attackers to execute code on their targets' systems by tricking them into opening malicious RAR and ZIP archives containing decoy files. Various types of malware payloads, including DarkMe, GuLoader, and Remcos RAT, have been delivered using this bug.
Researchers at Group-IB found instances of this vulnerability being exploited on cryptocurrency and stock trading forums. The attackers impersonated enthusiasts and shared trading strategies with unsuspecting victims. Shortly after Group-IB disclosed their findings, proof of concept exploits started appearing on public GitHub repositories, leading to what Google TAG describes as CVE-2023-38831 "testing activity" by financially motivated hackers and APT groups.
Other cybersecurity companies have also linked this WinRAR exploit to several other threat groups, including DarkPink (NSFOCUS) and Konni (Knownsec). The zero-day was fixed with the release of WinRAR version 6.23 on August 2, which also resolved several other security flaws, including CVE-2023-40477.
Google highlighted the effectiveness of exploiting known vulnerabilities, even when patches are available, and emphasized the importance of patching. They stated, "These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date."