Google's Threat Analysis Group (TAG) found state-backed hackers from Russia and China exploiting a now-patched WinRAR vulnerability. According to cybersecurity firm Group-IB, the vulnerability, identified as CVE-2023-38831, has been extensively abused for at least four months and allowed attackers to breach computers and compromise at least 130 business entities.
The WinRAR bug made it possible for malicious programs to be concealed inside archive files that looked like harmless pictures or text documents. The vulnerability was first disclosed by Group IB on August 23. At the time, they noted that it had been regularly abused since April, giving attackers effective code execution on the computers of their targets.
Targeting cryptocurrency traders, these weaponized ZIP files were disseminated through trading forums while posing as files that seemingly appear as JPG photos or PDF text documents. Over 130 devices were affected by at least eight public trade forums that were compromised, per TechCrunch. The size of the monetary losses is unknown.
Attackers distributed malware payloads, including DarkMe, GuLoader, and Remcos RAT, via the issue. Additionally, the vulnerability was used by several threat actors, including DarkPink and Konni, per Bleeping Computer.
Threats Detected Despite Patch
According to a CoinTelegraph report, the researchers alerted RARLABS, who then patched the Aug. 2 release of WinRAR version 6.23 to address the zero-day issue.
However, TAG has seen several government-sponsored hacker groups take advantage of it, highlighting the vulnerability of many users who have not upgraded their apps.
The notorious Russian military intelligence organization Sandworm, known for damaging assaults like the NotPetya ransomware crisis in 2017, is one of the hacker groups using the WinRAR bug.
In September, TAG researchers noticed Sandworm's harmful actions, which included an email campaign that pretended to be a Ukrainian school for drone warfare.
When victims clicked on a link in the email, they were sent to a malicious archive file that used CVE-2023-38831 to install malware that stole information and browser passwords.
Read Also: Elon Musk's X Launches 'Not a Bot' Test: $1 Fee for New Users in the Philippines, New Zealand
APT28, also known as Fancy Bear, a hacking group with Russian support, used the WinRAR zero-day vulnerability in an email campaign impersonating the Ukrainian public policy think tank Razumkov Centre. This group is notorious for hacking and leaking the DNC in 2016.
Users Advised to Update Online Protection
The use of CVE-2023-38831 serves as a reminder of how successful attacks utilizing known vulnerabilities may be even after remedies have been made available.
These identified hacking risks act as a reminder of the necessity of timely software upgrades and the requirement to improve user accessibility for the patching procedure.
By deceiving users into opening malicious RAR and ZIP packages containing false files, the WinRAR zero-day vulnerability allowed threat actors to execute malware on target PCs. Nevertheless, online security experts highly recommend users update their software as soon as possible to avoid being victimized by cyberattacks.
Related Article: Some Google Pixel 6 Owners Encounter Storage Problems After Updating to Android 14
