Picture: for illustration purposes
Google’s Threat Analysis Group (TAG) has disclosed that various state-supported hacking groups are manipulating a critical vulnerability in outdated versions of the popular compression software, WinRAR, a tool utilized by over 500 million individuals worldwide. Through this loophole, attackers aim to acquire arbitrary code execution privileges, essentially infiltrating the victims’ systems.
TAG's probing efforts have spotlighted state-backed hackers from numerous countries, including notorious groups like the Russian-based Sandworm and APT28, as well as APT40 from China. These entities are using the identified vulnerability aggressively.
Over the past weeks, TAG has observed the exploitation of the acknowledged vulnerability, CVE-2023-38831, in WinRAR that so far retains a wide user base, notwithstanding the availability of a security patch. To this effect, threat actors have exploited this vulnerability as a zero-day since April 2023, often duping victims into opening malicious RAR and ZIP archives, gaining access to their systems.
The system vulnerability has served as a conduit to deliver various malware payloads, incorporating DarkMe, GuLoader, and Remcos RAT. In one audacious attack in September, the Sandworm threat group dispersed Rhadamanthys infostealer malware through counterfeit invitations to a Ukrainian drone flying school.
The APT28 attackers have imperiled Ukrainian users through exploits hosted on a server, deploying a malicious IRONJAW PowerShell script to steal browser credentials. Concomitantly, APT40 targeted Papua New Guinea, distributing ISLANDSTAGER and BOXRAT malwares that allowed the threat actors to establish long-term access to infected systems.