Ongoing Peril: WinRAR Vulnerability Persists Despite Patch

Category: Threat Actor Activity | Industry: Global | Sources: Google TAG & Group-IB

The exploitation of the WinRAR vulnerability, CVE-2023-38831 initially reported by Group-IB on August 23rd, 2023, continues to pose a significant security risk. Despite WinRAR addressing the vulnerability in August 2023, the threat vector appears to remain extensive even as exploitation attempts were reported to have started as early as April 2023. Recent findings from Google's Threat Analysis Group (TAG), researcher Kate Morgan reports that state-backed threat actors are continuing to actively use this exploit in their latest attacks.

Google TAG identified phishing campaigns initiated by Russian nation-state actors Sandworm (aka. FROZENBARENTS) and APT28 (aka, FROZENLAKE) exploiting CVE-2023-38831 against Ukrainian government and military defense entities. The exploits crafted from the attacks were found to deliver a reverse SSH shell and an information-stealing PowerShell script. Additionally, Google TAG linked the Chinese threat group APT40 (aka ISLANDDREAMS) to the exploitation. They used it during a phishing campaign in late August 2023 to deliver a .NET backdoor tracked as BOXRAT.

Google TAG and Group-IB have advocated for organizations and individuals to patch vulnerable instances. As threat actors have been exploiting this vulnerability since April 2023 and with the availability of a public proof-of-concept (PoC) exploit, the urgency to reduce the attack surface is paramount.