Google TAG Detects State-Backed Threat Actors Exploiting WinRAR Flaw

WinRAR security hacked

A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations.

The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively exploited since at least April 2023.

Google Threat Analysis Group (TAG), which detected the activities in recent weeks, attributed them to three different clusters it tracks under the geological monikers FROZENBARENTS (aka Sandworm), FROZENLAKE (aka APT28), and ISLANDDREAMS (aka APT40).

The phishing attack linked to Sandworm impersonated a Ukrainian drone warfare training school in early September and distributed a malicious ZIP file exploiting CVE-2023-38831 to deliver Rhadamanthys, a commodity stealer malware which is offered for sale for $250 for a monthly subscription.

APT28, also affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) as it’s the case with Sandworm, is said to have launched an email campaign targeting government organizations in Ukraine.

In these attacks, users from Ukraine were prompted to download a file containing a CVE-2023-38831 exploit – a decoy document that masqueraded as an event invitation from Razumkov Centre, a public policy think tank in the country.

Read more: