WinRAR used in attacks

Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets’ systems.

Google’s Threat Analysis Group (TAG), a team of security experts who defend Google users from state-sponsored attacks, has detected state hackers from several countries targeting the bug, including the Sandworm, APT28, and APT40 threat groups from Russia and China.

“In recent weeks, Google’s Threat Analysis Group’s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows,” Google TAG said today.

“A patch is now available, but many users still seem to be vulnerable. TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.”

In an early September attack, Russian Sandworm hackers delivered Rhadamanthys infostealer malware in phishing attacks using fake invitations to join a Ukrainian drone training school.

Another Russian hacking group, ATP28, targeted Ukrainian users with CVE-2023-38831 exploits hosted on servers provided by a free hosting provider. In this attack, the threat actors used a malicious PowerShell script (IRONJAW) to steal browser credentials.

Additionally, APT40 Chinese hackers exploit the WinRAR vulnerability in attacks against targets in Papua New Guinea. They deployed ISLANDSTAGER and BOXRAT, allowing them to establish persistence on compromised systems.

Exploited as a zero-day since April

The CVE-2023-38831 WinRAR flaw has been under active exploitation as a zero-day since at least April 2023, allowing threat actors to gain code execution on their targets’ systems by tricking them into opening maliciously crafted RAR and ZIP archives containing booby-trapped decoy files.

Since April, the bug has been used to deliver a wide range of malware payloads, including DarkMe, GuLoader, and Remcos RAT.

Group-IB researchers discovered instances of exploitation targeting cryptocurrency and stock trading forums. In these attacks, the threat actors impersonated fellow enthusiasts while pretending to share trading strategies with unsuspecting victims.

CVE-2023-38831 infection chain
CVE-2023-38831 infection chain (Group-IB)

​Within hours of Group-IB disclosing their findings, proof of concept exploits began surfacing on public GitHub repositories, immediately leading to what Google TAG describes as CVE-2023-38831 “testing activity” by financially motivated hackers and APT groups.

Other cybersecurity companies have also linked attacks exploiting this WinRAR with several other threat groups, including DarkPink (NSFOCUS) and Konni (Knownsec).

The zero-day was fixed with the release of WinRAR version 6.23 on August 2, which also resolved several other security flaws. One of them is CVE-2023-40477, a bug that can be exploited to trigger command execution via specially crafted RAR files.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available. Even the most sophisticated attackers will only do what is necessary to accomplish their goals,” Google said.

“These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date.”

Source link