Google security researchers say they have found evidence that state-backed hackers linked to Russia and China are exploiting patched vulnerabilities in WinRAR, a popular Windows shareware archiving tool. The WinRAR vulnerability, first discovered earlier this year by cybersecurity firm Group-IB and numbered CVE-2023-38831, allows attackers to hide malicious scripts in archive files disguised as seemingly innocuous images or text documents.
Group-IB said the vulnerability was exploited as a zero-day vulnerability back in April because developers did not have time to fix it before it was exploited, compromising the devices of at least 130 financial traders.
Rarlab, which makes compression tools, released an updated version of WinRAR (version 6.23) on August 2 to fix the vulnerability.
Still, Google's Threat Analysis Group (TAG) said this week that its researchers observed multiple government-backed hacking groups exploiting the security flaw, noting that "many users" who had not updated the app were still vulnerable. In research shared with TechCrunch ahead of publication, TAG said it observed multiple campaigns exploiting the WinRAR zero-day vulnerability linked to state-sponsored hacking groups with ties to Russia and China.
One of the groups includes a Russian military intelligence unit called Sandworm, which is known for destructive cyber attacks, such as the NotPetya ransomware attack the group launched in 2017, which primarily attacked Ukrainian computer systems and disrupted the country's power grid.
TAG researchers observed Sandworm exploiting a WinRAR flaw in early September as part of a malicious email campaign impersonating a Ukrainian drone warfare training school. The emails contain a link to a malicious archive file that exploits CVE-2023-38831, which when opened installs information-stealing malware on the victim's computer and steals browser passwords.
Separately, TAG said it observed that another notorious Russian-backed hacking group (tracked as APT28, commonly known as FancyBear) exploited WinRAR zero-day attacks to target Ukrainian users under the guise of an email campaign impersonating the Razumkov Center (a public policy). FancyBear is best known for its 2016 hacking and leak campaign targeting the Democratic National Committee.
Google's findings follow an earlier discovery by threat intelligence firm Cluster25, which said last week it had also observed Russian hackers exploiting the WinRAR vulnerability in a phishing campaign aimed at harvesting credentials from infected systems. Cluster25 said it assessed with "low to moderate confidence" that FancyBear was behind the campaign.
Google added that its researchers found evidence that the China-backed hacking group APT40, which the U.S. government has previously linked to China's Ministry of State Security, also abused the WinRAR zero-day vulnerability as part of phishing campaigns against users. In Papua New Guinea. The emails contain Dropbox links to archive files containing the CVE-2023-38831 vulnerability.
TAG researchers warn that continued exploitation of WinRAR vulnerabilities "highlights how effective exploits of known vulnerabilities can be" as attackers take advantage of the slow pace of patching.
learn more:
https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/