State-sponsored APTs are leveraging WinRAR bug

A number of government-backed APTs are exploiting CVE-2023-38831, a file extension spoofing vulnerability in WinRAR, a widely used file archiver utility for Windows.

CVE-2023-38831 has been patched in August 2023, along with another high-severity RCE vulnerability (CVE-2023-40477).

Exploited as a zero-day by cybercriminals since April 2023, the vulnerability is now also being used by state-sponsored hacking groups.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available,” Google TAG analysts have noted.

A proof of concept for generating ZIP archives capable of triggering CVE-2023-38831 is available online.

Phishing emails carry exploits

Google’s analysts have flagged several campaigns using CVE-2023-38831 and have shared IoCs related to all of those attacks.

The infamous Sandworm hackers impersonated a Ukrainian drone warfare training school in early September. The emails they sent out contained an invitation to join the school and a booby-trapped archive file that, when unpacked with a vulnerable version of WinRAR, would also run the Rhadamanthys infostealer.

Around the same time, Fancy Bear (APT28) – which is also believed to be sponsored by the Russian government – targeted Ukrainians working in the energy sector with a fake event invitation from a public policy think tank in Ukraine.

Google researchers also analyzed a file (IOC_09_11.rar) that was uploaded on VirusTotal in September and that triggers a PowerShell script that steals browser login data and local state directories.

Researchers with DuskRise’s Cluster25 threat intelligence team say that the file appears to contain indicators of compromise (IoCs) for a variety of malware, but also triggers the WinRAR flaw and the launching of PowerShell commands that open a reverse shell on the target machine and exfiltrate login credentials stored in Google Chrome and Microsoft Edge.

“According to the Cluster25 visibility and considering the sophistication of the infection chain, the attack could be related with low-to-mid confidence to the Russian state-sponsored group APT28 (aka Fancy Bear, Sednit),” they added.

Finally, Google says that a recent phishing campaign targeting Papua New Guinea with a ZIP archive containing the CVE-2023-38831 exploit and leading to the download of a backdoor, was mounted by government-backed groups linked to China.

“Even the most sophisticated attackers will only do what is necessary to accomplish their goals,” Google’s analysts pointed out. Obviously, these threat actors are counting on organizations lagging behind with critical patches.