Several state-backed threat actors from Russia and China have been observed leveraging a recent security vulnerability within the WinRAR archiver tool for Windows as part of their ongoing operations.
What’s Vulnerable?
The specific vulnerability in question is CVE-2023-38831(CVSS score of 7.8). This flaw enables malicious actors to execute arbitrary code when someone attempts to view a file contained within a ZIP archive.
The exploitation of this vulnerability has been actively recorded since at least April 2023.
Google’s Threat Analysis Group (TAG), responsible for detecting and monitoring these activities in recent weeks, attributes them to three distinct clusters it tracks, known under the codenames
- FROZENBARENTS (also referred to as Sandworm),
- FROZENLAKE (known as APT28), and
- ISLANDDREAMS (referred to as APT40).
Details About the Techniques
- Sandworm
The phishing attack associated with Sandworm involved the impersonation of a Ukrainian drone warfare training school in early September.
This impersonation was used to distribute a malicious ZIP file that exploits CVE-2023-38831, serving as a delivery mechanism for Rhadamanthys, a commodity stealer malware available for a monthly subscription fee of $250.
- APT28
APT28, which shares affiliations with the Main Directorate of the General Staff of the Russian Federation (GRU), much like Sandworm, initiated an email campaign targeting government organizations in Ukraine.
In these attacks, Ukrainians were prompted to download a file containing an exploit for CVE-2023-38831. The decoy document in question masqueraded as an event invitation from the Razumkov Centre, a public policy think tank in Ukraine.
“Regarding the WinRAR vulnerability, the exploitation leads to the execution of a PowerShell script named IRONJAW, designed to steal browser login data and local state directories. The stolen information is subsequently exported to an infrastructure under the control of the threat actors, located at the webhook[.]site.”
- APT40
The third threat actor to capitalize on the WinRAR vulnerability is APT40, which launched a phishing campaign targeting Papua New Guinea.
Email messages in this campaign included a Dropbox link to a ZIP archive containing the CVE-2023-38831 exploit.
This infection sequence ultimately facilitated the deployment of a dropper named ISLANDSTAGER, responsible for loading BOXRAT, a . NET-based backdoor that utilizes the Dropbox API for command and control.
This disclosure reinforces recent findings from Cluster25, which detailed attacks carried out by the APT28 hacking group exploiting the WinRAR vulnerability to conduct credential harvesting operations.
You’ve Got to Save IT!
Researchers at TAG highlight the significance of this widespread exploitation of the WinRAR vulnerability. The effectiveness of exploiting known vulnerabilities, even when patches are readily available. Even highly sophisticated attackers only employ what is necessary to achieve their objectives.
Step forward: Involve prompt patching of the WinRAR vulnerability and enhance proactive threat detection measures to mitigate further risks.
PureVPN
October 20, 2023
2 years ago
