Russian and Chinese state-sponsored threat actors have been discovered abusing a known vulnerability in the popular archiving tool WinRAR to extract sensitive information such as passwords and other login credentials.
Google’s Threat Analysis Group (TAG), which usually tracks and analyzes state-sponsored hacking players, claims to have found evidence that the flaw, identified earlier as CVE-2023-38831 by Group-IB, was being used to hide malware in archived files.
To the average Joe, the files would look like your average image, or text document. However, when downloaded and extracted, they’d infect the device with infostealing malware, capable of grabbing different files and information from the endpoint, such as passwords and payment data stored in browsers, various system information, and more.
Sandworm, APT40, and others
To make matters worse, this isn’t just one or two groups targeting WinRAR users – apparently, it’s “multiple” groups targeting “many users” who are yet to apply the patch.
The patch does exist, however, RarLab, the company behind WinRAR, released version 6.23 in early August this year, to address the issue. However, there is no way to update the program from within. Users need to head over to the WinRAR website, download the latest version, and run the installer as if they’re installing the program from scratch.
Users will want to patch, though, as one of the groups was identified as Sandworm, a Russian military intelligence unit that allegedly interfered with the 2016 presidential elections in the United States. It was also observed as quite an active player in the Russia-Ukraine war, and was behind the infamous 2017 NotPetya ransomware attack.
Another identified player is APT40, a Chinese hacking collective allegedly tied to the Chinese Ministry of State Security. It used the flaw to target endpoints in Papua New Guinea via a Dropbox link.
The WinRar vulnerability “highlights that exploits for known vulnerabilities can be highly effective”, TAG’s researchers concluded.
Via TechCrunch