Security News > 2023 > October > State-sponsored APTs are leveraging WinRAR bug

State-sponsored APTs are leveraging WinRAR bug
2023-10-18 15:00

A number of government-backed APTs are exploiting CVE-2023-38831, a file extension spoofing vulnerability in WinRAR, a widely used file archiver utility for Windows.

"The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available," Google TAG analysts have noted.

Google's analysts have flagged several campaigns using CVE-2023-38831 and have shared IoCs related to all of those attacks.

Google researchers also analyzed a file that was uploaded on VirusTotal in September and that triggers a PowerShell script that steals browser login data and local state directories.

Researchers with DuskRise's Cluster25 threat intelligence team say that the file appears to contain indicators of compromise for a variety of malware, but also triggers the WinRAR flaw and the launching of PowerShell commands that open a reverse shell on the target machine and exfiltrate login credentials stored in Google Chrome and Microsoft Edge.

Finally, Google says that a recent phishing campaign targeting Papua New Guinea with a ZIP archive containing the CVE-2023-38831 exploit and leading to the download of a backdoor, was mounted by government-backed groups linked to China.


News URL

https://www.helpnetsecurity.com/2023/10/18/apts-winrar-cve-2023-38831/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-08-23 CVE-2023-38831 Insufficient Verification of Data Authenticity vulnerability in Rarlab Winrar
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.
local
low complexity
rarlab CWE-345
7.8