Security News > 2023 > October > State-sponsored APTs are leveraging WinRAR bug
A number of government-backed APTs are exploiting CVE-2023-38831, a file extension spoofing vulnerability in WinRAR, a widely used file archiver utility for Windows.
"The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available," Google TAG analysts have noted.
Google's analysts have flagged several campaigns using CVE-2023-38831 and have shared IoCs related to all of those attacks.
Google researchers also analyzed a file that was uploaded on VirusTotal in September and that triggers a PowerShell script that steals browser login data and local state directories.
Researchers with DuskRise's Cluster25 threat intelligence team say that the file appears to contain indicators of compromise for a variety of malware, but also triggers the WinRAR flaw and the launching of PowerShell commands that open a reverse shell on the target machine and exfiltrate login credentials stored in Google Chrome and Microsoft Edge.
Finally, Google says that a recent phishing campaign targeting Papua New Guinea with a ZIP archive containing the CVE-2023-38831 exploit and leading to the download of a backdoor, was mounted by government-backed groups linked to China.
News URL
https://www.helpnetsecurity.com/2023/10/18/apts-winrar-cve-2023-38831/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-23 | CVE-2023-38831 | Unspecified vulnerability in Rarlab Winrar RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. | 7.8 |