Multiple APT groups exploited WinRAR flaw CVE-2023-38831

Google TAG reported that both Russia and China-linked threat actors are weaponizing the a high-severity vulnerability in WinRAR.

Google’s Threat Analysis Group (TAG) reported that in recent weeks multiple nation-state actors were spotted exploiting the vulnerability CVE-2023-38831 in WinRAR. The researchers reported that several cybercrime groups began exploiting the flaw in early 2023, when the bug was still a zero-day. The vulnerability has been patched, but but manyhave yet to update their installs.

“As detailed in a blog post from Group-IB, the vulnerability had been exploited as 0-day by cybercrime actors in-the-wild since at least April 2023 for campaigns targeting financial traders to deliver various commodity malware families.” reported Google TAG. “Hours after the blog post was released, proof of concepts and exploit generators were uploaded to public GitHub repositories. Shortly after that, TAG began to observe testing activity from both financially motivated and APT actors experimenting with CVE-2023-38831.”

Google’s Threat Analysis Group (TAG) experts observed multiple APT groups exploiting the issue, including Russia-linked Sandworm/APT28, and China-linked APT40.

In April, Google observed Russia-linked FROZENBARENTS APT (aka SANDWORM) impersonates Ukrainian drone training school to deliver the Rhadamanthys infostealer.

The threat actors used a lure themed as an invitation to join the school, the email included a link to an anonymous file-sharing service, fex[.]net. The file-sharing service was used to deliver a benign decoy PDF document with a drone operator training curriculum and specially crafted ZIP archive (“Навчальна-програма-Оператори.zip” (Training program operators)) that exploits the flaw CVE-2023-38831.

In September, CERT-UA observed the FROZENLAKE group exploitingthe WinRAR flaw to deploy malware in attacks aimed at energy infrastructure.

Google TAG experts also observed the Russia-linked ATP28 group exploiting the flaw in attacks against Ukraine users. The state-sponsored hackers employed a malicious PowerShell script (IRONJAW) to steal browser login data and local state directories.

The China-linked APT40 group was observed exploiting the CVE-2023-38831 vulnerability in attacks against targets in Papua New Guinea.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available. Even the most sophisticated attackers will only do what is necessary to accomplish their goals. These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date. TAG will continue to compile and share threat intelligence for the protection of online users and Google products, in the meantime, we encourage organizations and users to keep their software fully up-to-date.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WinRAR)

The post Multiple APT groups exploited WinRAR flaw CVE-2023-38831 appeared first on Security Affairs.