Recent investigations have unveiled that state-sponsored threat actors from Russia and China are exploiting a known security vulnerability in the WinRAR archiver software for Windows, as part of their cyber operations. These attacks indicate a pronounced shift towards utilizing established vulnerabilities to bolster operational success.
The vulnerability, referenced as CVE-2023-38831, has been attributed a CVSS score of 7.8, indicating a critical risk level. This flaw allows attackers to execute arbitrary code when a user interacts with seemingly harmless files within a ZIP archive. Evidence suggests that this vulnerability has been actively exploited since at least April 2023.
The Google Threat Analysis Group (TAG) has traced these activities to three distinct groups, designated with geographical identifiers: FROZENBARENTS (also known as Sandworm), FROZENLAKE (commonly referred to as APT28), and ISLANDDREAMS (recognized as APT40).
Among these actors, Sandworm was found to have orchestrated a phishing campaign, impersonating a Ukrainian drone warfare training institution. This involved disseminating a compromised ZIP file designed to exploit CVE-2023-38831, which subsequently delivered the Rhadamanthys malware, a commodity stealer offered through subscription.
Meanwhile, APT28, affiliated with Russia’s GRU, has launched a targeted email campaign aimed at Ukrainian governmental entities. The campaign prompted users to download what appeared to be a benign invitation for an event, which actually contained a CVE-2023-38831 exploit, leading unsuspecting users to compromise their systems.
Upon exploitation, the attacker deployed a PowerShell script named IRONJAW, which has the capability to steal browser login credentials and sensitive data. This information is then sent to an external infrastructure controlled by the adversaries.
Notably, APT40 has been observed executing a phishing scheme focused on Papua New Guinea. Their method involved sending emails with a Dropbox link leading to a ZIP archive that hosted the CVE-2023-38831 exploit. This methodology not only illustrates their adaptability but also emphasizes the potential dangers associated with benign-looking email attachments.
The disclosure of these attacks aligns with insights from Cluster25, elaborating on how APT28 has leveraged the WinRAR vulnerability for credential harvesting. These events underscore a broader trend where various state-sponsored actors—including groups like Konni and Dark Pink—capitalize on the same vulnerability to attain their objectives in various sectors, suggesting a coordinated cyber strategy among these adversaries.
As Kate Morgan of TAG noted, the pervasive exploitation of the WinRAR flaw emphasizes that known vulnerabilities can provide substantial advantages to attackers, even when patches are available. This highlights the critical need for continuous vigilance and proactive measures within cybersecurity infrastructures to mitigate risk.
