Malware hunters in Google’s Menace Evaluation Group (TAG) say government-backed hacking teams from totally different international locations are feasting on a well-documented security flaw within the widespread WinRAR file archiving utility greater than three months after patches had been launched.
The WinRAR code execution vulnerability, tracked as CVE-2023-38831, was mounted in July after zero-day exploitation was detected however now, three months later, Google says APT teams linked to Russia and China are nonetheless utilizing the exploit with success.
“Cybercrime teams started exploiting the vulnerability in early 2023, when the bug was nonetheless unknown to defenders. A patch is now out there, however many customers nonetheless appear to be weak,” Google’s Kate Morgan mentioned in a be aware documenting the APT discoveries. “After a vulnerability has been patched, malicious actors will proceed to depend on n-days and use sluggish patching charges to their benefit.”
Morgan mentioned the flaw, which permits attackers to execute arbitrary code when a consumer makes an attempt to view a benign file (resembling an strange PNG file) inside a ZIP archive, has been recognized since no less than April 2023 and instantly attracted the curiosity of risk actors.
“Hours after the weblog submit [about zero-day exploitation] was launched, proof of ideas and exploit mills had been uploaded to public GitHub repositories. Shortly after that, TAG started to look at testing exercise from each financially motivated and APT actors experimenting with CVE-2023-38831,” Morgan added.
In a single case, Google TAG detected the Russia-linked Sandworm delivering decoy PDF paperwork and malicious ZIP recordsdata exploiting the WinRAR bug. Sandworm, aligned with Russian Armed Forces’ Essential Directorate of the Basic Workers (GRU) Unit, used the exploit to ship a commodity infostealer that is ready to accumulate and exfiltrate browser credentials and session info from contaminated machines.
Morgan documented one other incident the place APT28, one other hacking crew linked to Russian GRU, used a free internet hosting supplier to serve CVE-2023-38831 to focus on customers in Ukraine.
Google mentioned it additionally caught government-backed teams linked to China launching WinRAR exploits in focused assaults towards customers in Papua New Guinea.
“The widespread exploitation of the WinRAR bug highlights that exploits for recognized vulnerabilities may be extremely efficient, regardless of a patch being out there. Even essentially the most subtle attackers will solely do what is important to perform their targets,” Morgan warned.
Software program security defects within the WinRAR software are always being focused by cybercriminals and APT teams. information.killnetswitch has reported on a number of WinRAR exploitation incidents just lately, together with utilization by financially motivated hackers towards merchants and .gov-backed superior risk actors.