Google TAG Uncovers State-Backed Threat Actors Exploiting WinRAR Vulnerability

Several state-backed threat actors, originating from Russia and China, have been identified exploiting a recent security flaw in the WinRAR archiver tool for Windows in the course of their operations.

The specific vulnerability in question is CVE-2023-38831, with a CVSS score of 7.8, enabling attackers to execute arbitrary code when a user attempts to view a seemingly harmless file within a ZIP archive. This vulnerability has been actively abused since at least April 2023.

In recent weeks, Google’s Threat Analysis Group (TAG) detected these activities and attributed them to three distinct clusters it monitors, known as FROZENBARENTS (also known as Sandworm), FROZENLAKE (also known as APT28), and ISLANDDREAMS (also known as APT40).

The Sandworm cluster distributed a malicious ZIP file that exploited CVE-2023-38831 to deliver Rhadamanthys, a commodity stealer malware available for a $250 monthly subscription.

APT28, also associated with the Main Directorate of the General Staff of the Russian Federation (GRU) like Sandworm, conducted an email campaign targeting government organizations in Ukraine. Ukrainian users were prompted to download a file containing a CVE-2023-38831 exploit, disguised as an event invitation from the Razumkov Centre, a Ukrainian public policy think tank.

This led to the execution of a PowerShell script named IRONJAW, which stole browser login data and local state directories, sending the information to an actor-controlled infrastructure on webhook[.]site.

The third threat actor to exploit the WinRAR vulnerability is APT40, which launched a phishing campaign. Email messages included a Dropbox link to a ZIP archive containing the CVE-2023-38831 exploit. This infection sequence facilitated the deployment of a dropper called ISLANDSTAGER, responsible for loading BOXRAT, a .NET backdoor that utilizes the Dropbox API for command-and-control.

The revelation builds upon earlier discoveries from Cluster25, which disclosed attacks conducted by the APT28 hacking group exploiting the WinRAR flaw for credential harvesting operations.

Other state-sponsored adversaries that have also taken advantage of this situation include Konni (with ties to a North Korean cluster called Kimsuky) and Dark Pink (also known as Saaiwc Group), according to findings from the Knownsec 404 team and NSFOCUS.

TAG researcher emphasized the significance of these findings, underlining that the widespread exploitation of the WinRAR vulnerability underscores the effectiveness of exploiting known vulnerabilities, even when patches are available. This demonstrates that even the most sophisticated attackers only do what is necessary to achieve their objectives.