Google TAG has come up with warnings to users about a vulnerability in WinRAR that’s being actively exploited by hacking groups, including allegedly state-sponsored actors.
Threat groups are leveraging a vulnerability tracked as CVE-2023-38831 that resides in versions of WinRAR before 6.23 and allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.
Though its first detected in April and even a patch was issued, many users remain susceptible. The vulnerability lies in WinRAR’s file extraction logic, which allows attackers to execute arbitrary code on a user’s system.
The exploit occurs when a user attempts to view a file within a ZIP archive using WinRAR. The logic flaw, combined with a quirk in the Windows ShellExecute function, allows attackers to trick the system into executing malicious code instead of opening the intended file.
The vulnerability is being exploited by allegedly state-sponsored and financially motivated hackers. The Google TAG report highlights two groups of particular concern: Frozenbarents and Frozenlake. Both groups are believed to be linked to the GRU, Russia’s foreign military intelligence agency.
Frozenbarents has been found to have impersonated a Ukrainian training school to deliver malware, while Frozenlake targeted Ukrainian government organizations, with a particular focus on the war-torn country’s energy infrastructure. Both campaigns employed the WinRAR vulnerability to deliver malware, demonstrating how critical the issue is.
Islanddreams, another attack group that is believed to be linked to groups in China, also used the vulnerability to target Papua, New Guinea. The campaign used phishing emails that included a Dropbox link to a ZIP archive.
Google’s researchers note that the persistence of malicious campaigns exploiting the vulnerability highlights the importance of applying patches promptly and also ensuring broader awareness among users and organizations about the risks associated with outdated software.