Headline
Patch Now: APTs Continue to Pummel WinRAR Bug
State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software’s footprint.
State-sponsored threat actors from Russia and China continue to throttle the remote code execution (RCE) WinRAR vulnerability in unpatched systems to deliver malware to targets.
Researchers at Google’s Threat Analysis Group (TAG) have been tracking attacks in recent weeks that exploit CVE-2023-38831 to deliver infostealers and backdoor malware, particularly to organizations in Ukraine and Papua New Guinea. The flaw is a known and patched vulnerability in RarLab’s popular WinRAR file archiver tool for Windows, but systems that haven’t been updated remain vulnerable.
“TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations,” Kate Morgan from Google TAG wrote in a blog post.
Russia-backed advanced persistent threat (APT) groups are the primary perpetrators of the latest attacks on WinRAR, according to Google TAG. On Sept. 6, Sandworm launched an email campaign impersonating a Ukrainian drone warfare training school using an invitation to join the school as a lure.
The infamous APT28 (aka Frozenlake, Fancy Bear, Strontium, or Sednit), another Russia-backed group, also used the flaw to deliver malware, which was targeting energy infrastructure in Ukraine via a phishing campaign that used a decoy document inviting targets to an event hosted by Razumkov Center, a public policy think tank in Ukraine.
Meanwhile, a phishing campaign from China-backed group IslandDreams (APT40) delivered infostealers to users in Papua New Guinea.
RarLab issued a beta patch for the issue on July 20 and an updated version of WinRAR (version 6.23) on Aug. 2, but many systems remain vulnerable and thus ripe for exploitation, Morgan noted. “After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage,” she wrote.
Exploiting the WinRAR Flaw
Group-IB discovered CVE-2023-38831 — a logical vulnerability within WinRAR — in July. However, APT groups already had been exploiting the flaw as a zero-day bug since April — including one by the Russia-backed threat group Evilnum that used weaponized ZIP files to target cryptocurrency traders.
The potential to exploit the flaw comes when the temporary file expansion, during archive processing, is combined with a quirk in the implementation of Windows ShellExecute when attempting to open a file with an extension containing spaces, according to Google TAG.
“The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive,” Morgan wrote.
Later, mere hours after Group-IB posted its blog post outlining its discovery and analysis of the flaw, proof-of-concept exploits (PoCs) — including fake ones — and exploit generators appeared on public GitHub repositories. These fueled further and ongoing attacks on vulnerable systems.
Latest WinRAR Targeting
In the Sandworm attack, the messages included a link to an anonymous file-sharing service, fex[.]net, which, in turn, delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831. The file’s payload was Rhadamanthys, a commodity infostealer that can exfiltrate, among other things, browser credentials and session information. Google TAG noted that use of commodity malware is not typical of Sandworm.
Meanwhile, Google TAG observed APT28 using a free hosting provider to serve an initial page that redirected users to a mockbin site to perform browser checks, and then yet again to another stage, which would ensure the visitor was coming from an IPv4 address in Ukraine. At this point the user would be prompted to download a file containing a CVE-2023-38831 exploit.
In late July and early August, the researchers also observed an APT28 attack that dropped the PowerShell script IronJaw, which steals browser login data and local state directories. The attack vector — which drops a BAT file that opens a decoy PDF file and creates a reverse SSH shell to an attacker-controlled IP address — was a new addition to the APT’s toolkit, according to Google TAG.
Google TAG has linked a fourth recent WinRAR attack to China-backed IslandDreams — which also is tracked as Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp — through a phishing campaign in late August that targeted users in Papua New Guinea. The phishing emails included a Dropbox link to a ZIP archive containing a CVE-2023-38831 exploit in the form of a password-protected decoy PDF and an LNK file, which led to a next-stage payload known as Islandstager.
The Islandstager payload executes and decodes several layers of shellcode, the last of which loads and executes the final payload, BOXRAT, a .NET backdoor that uses Dropbox API as a command-and-control mechanism.
Problematic Patching Delays
Google TAG included indicators of compromise (IOCs) for the various attack scenarios to help users identify if their system is being exploited.
In the meantime, WinRAR users are urged to update their systems if they haven’t already, as the campaigns highlight yet again the importance of timely patching — something that still seems to be a global challenge for software users, Morgan noted.
“These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date,” she wrote.
Related news
Who needs advanced malware when you can take advantage of a bunch of OSS tools and free cloud services to compromise your target?
By Deeba Ahmed Group-IB Report Warns of Evolving Cyber Threats Including AI and macOS Vulnerabilities and Ransomware Attacks. This is a post from HackRead.com Read the original post: Report Uncovers Massive Sale of Compromised ChatGPT Credentials
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with
Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28,
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a
By Deeba Ahmed All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as
A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as
This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. “Visiting the link will download a ZIP archive containing three JPG images (
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
By Habiba Rashid The 0-day vulnerability in WinRAR, which has been exploited, is targeting traders and has successfully stolen funds from 130 victims so far. This is a post from HackRead.com Read the original post: WinRAR users update your software as 0-day vulnerability is found
A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831, allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files.
RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.