Nation-State Hackers Exploiting WinRAR, Google Warns
Nation-state hackers are targeting a vulnerability in WinRAR, a popular Windows utility for archiving files, security experts warn, including the Russian military in attacks against Ukraine.
See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations
Google’s Threat Analysis Group, which tracks nation-state hacking campaigns, said Wednesday that “in recent weeks” it has seen “government-backed hacking groups” who hail from multiple countries, including China and Russia, targeting the bug. Vendor RARLabs issued a patch 11 weeks ago, but “many users still seem to be vulnerable.”
Nation-state groups TAG has seen exploiting the flaw include Russia’s Sandworm hacking team – a GRU military intelligence unit – that has been running a phishing campaign against the Ukrainian energy sector with a bogus PDF document that purportedly contains “a drone operator training curriculum.” Ukrainian energy infrastructure has been a main focus of Russian hackers (see: WinRAR Weaponized for Attacks on Ukrainian Public Sector).
Another phishing campaign, which TAG attributed to China, targeted Papua New Guineans with links to Dropbox that led to malware.
The vulnerability being exploited by attackers, tracked as CVE-2023-38831, centers on how the WinRAR software processes .zip files. Attackers can subvert that process so that when a user double-clicks a file to open, the user instead opens malware.
Vendor RARLabs on Aug. 2 released WinRAR version 6.23 to fix multiple vulnerabilities, including the one now being targeted by government-affiliated hackers. Also fixed was CVE-2023-40477, which allowed attackers to remotely exploit code of their choosing, provided they could trick a user into “a malicious page or open a malicious file,” according to Trend Micro’s Zero Day Initiative, which worked with…
