WinRAR, a popular compression software used by over 500 million users, has been targeted by several government-backed hacking groups from Russia and China, who have been exploiting a high-severity vulnerability in the app to gain arbitrary code execution on the victims’ systems.
The WinRAR vulnerability and its patch
The vulnerability, tracked as CVE-2023-38831, allows attackers to hide malicious scripts in archive files that masquerade as seemingly innocuous images or text documents. The flaw was discovered by security researchers from Group-IB, who reported it to Rarlab, the developer of WinRAR, in April 2023. The researchers said that the flaw was exploited as a zero-day, meaning that the developer had no time to fix it before it was abused by hackers, and that at least 130 traders were compromised by the exploit.
Rarlab released an updated version of WinRAR (version 6.23) on August 2, 2023, to patch the vulnerability. However, many users who have not updated the app remain vulnerable to the exploit, according to Google’s Threat Analysis Group (TAG), which monitors state-sponsored hacking activities.
The state-backed hacking campaigns using the WinRAR exploit
In a report shared with TechCrunch, TAG said that it has observed multiple campaigns using the WinRAR exploit, which it has tied to state-backed hacking groups with links to Russia and China. One of these groups is Sandworm, a Russian military intelligence unit known for destructive cyberattacks, such as the NotPetya ransomware attack in 2017 and the disruption of Ukraine’s power grid.
TAG researchers observed Sandworm exploiting the WinRAR flaw in early September 2023 as part of a malicious email campaign that impersonated a Ukrainian drone warfare training school. The emails contained a link to a malicious archive file exploiting CVE-2023-38831, which when opened installed information-stealing malware on the victim’s machine and stole browser passwords.
Another notorious Russian hacking group, APT28 or Fancy Bear, also used the WinRAR exploit to target users in Ukraine under the guise of an email campaign impersonating the Razumkov Centre, a public policy think tank in the country. Fancy Bear is best known for its involvement in the hacking of the Democratic National Committee in 2016.
Google’s findings follow an earlier discovery by threat intelligence company Cluster25, which said that it had also observed Russian hackers exploiting the WinRAR vulnerability as a phishing campaign designed to harvest credentials from compromised systems. Cluster25 said it assessed with “low-to-mid confidence” that Fancy Bear was behind the campaign.
On the other hand, TAG also found evidence that a Chinese hacking group, known as APT40 or Leviathan, which is linked to China’s Ministry of State Security, also abused the WinRAR flaw as part of a phishing campaign targeting users based in Papua New Guinea. The campaign was aimed at gaining access to sensitive information related to the country’s politics and economy.
The implications of the WinRAR exploit and how to protect yourself
The WinRAR exploit shows how state-backed hackers can leverage known vulnerabilities in widely used software to conduct espionage and sabotage operations against their targets. The exploit also demonstrates how slow vulnerability remediation rates can expose users to attacks even after patches are available.
To protect yourself from the WinRAR exploit and other similar threats, you should always update your software to the latest version as soon as possible. You should also avoid opening suspicious attachments or links from unknown sources and use antivirus software to scan your system regularly.
