Google TAG Alerts on Exploitation of WinRAR Vulnerability by State-Backed Hackers

In recent weeks, alarming revelations emerged from Google’s Threat Analysis Group (TAG). They’ve identified multiple state-sponsored hacking groups actively leveraging a known vulnerability (CVE-2023-38831) in WinRAR, a widely used file archiver tool for Windows.

Since early 2023, cybercrime factions began their malicious exploits, preying on this specific vulnerability even before its defenses were unveiled. While a remedial patch is available now, many users remain exposed to this gaping security flaw. Such negligence becomes fertile ground for malicious entities, especially when they’re supported by powerful governmental apparatuses.

WinRAR’s recent vulnerability, denoted by CVE-2023-38831, revolves around a logical glitch. This flaw allows for excessive temporary file expansion when handling particular archives. This, combined with an oversight in Windows’ ShellExecute functionality, permits attackers to execute arbitrary codes if a user tries viewing an innocent file inside a ZIP archive.

By April 2023, cybercriminals were exploiting this as a 0-day vulnerability, aiming at financial traders to disseminate a range of malware. The situation intensified when proof-of-concept exploits started appearing on public GitHub repositories, resulting in more cybercriminals and advanced persistent threat (APT) actors joining the fray.

One particular group, FROZENBARENTS (attributed to Russia’s GRU Unit 74455), launched a deceitful email campaign in September. Masquerading as a Ukrainian drone warfare training school invitation, the email contained malicious ZIP files that exploited the WinRAR vulnerability. What’s worse, the payload was Rhadamanthys, an infostealer available for rent, signaling an unusual modus operandi for FROZENBARENTS.

FROZENLAKE, another group linked to the Russian GRU, targeted Ukrainian energy infrastructure and government organizations using the same WinRAR vulnerability. In one instance, a sample named “IOC_09_11.rar” was found exploiting CVE-2023-38831, dropping a file that initiated a reverse SSH shell to an attacker’s IP and executed the malicious IRONJAW script.

TAG’s observations aren’t limited to Russian-backed groups. China-linked group ISLANDDREAMS (or APT40) also hopped onto the exploitation bandwagon. They aimed their spear-phishing campaigns at Papua New Guinea in late August, using the same WinRAR vulnerability to deliver their payload.

The modus operandi involves the ISLANDSTAGER, which is executed by starting a legit process and sideloading a malicious file. Persistence is then ensured by modifying registry keys. It eventually decodes multiple shellcode layers, culminating in the final BOXRAT payload – a .NET backdoor exploiting Dropbox’s API for command and control.

In light of these sophisticated cyber-attacks, it’s paramount for organizations and users to maintain updated software and promptly install security patches. Google’s Safe Browsing and Gmail are excellent starting points as they’ve been known to block files containing the exploit. Staying informed and proactive in digital security hygiene remains the first line of defense against such looming threats.