The Urgent Need to Patch: APTs Persistently Exploiting WinRAR Vulnerability

The Continued Exploitation of the WinRAR Vulnerability

Introduction

State-sponsored threat actors from Russia and China have been leveraging a vulnerability in the popular file archiver tool WinRAR to deliver malware to their targets. The vulnerability, identified as CVE-2023-38831, is a known and patched vulnerability, but systems that haven’t been updated remain vulnerable to these attacks. Researchers at Google’s Threat Analysis Group (TAG) have been tracking these attacks, particularly focusing on the exploitation of the WinRAR vulnerability by government-backed actors in recent weeks.

State-Sponsored Threat Actors Exploiting the WinRAR Vulnerability

According to Google TAG, Russia-backed advanced persistent threat (APT) groups are the primary perpetrators of the latest attacks on WinRAR. APT28, also known as Frozenlake, Fancy Bear, Strontium, or Sednit, is one of the Russia-backed groups that has exploited the WinRAR flaw. They used a phishing campaign that targeted energy infrastructure in Ukraine, using a decoy document inviting targets to an event hosted by Razumkov Center, a public policy think tank in Ukraine. Another Russia-backed group, Sandworm, launched an email campaign impersonating a Ukrainian drone warfare training school to lure victims.

Additionally, a China-backed group known as IslandDreams (APT40) targeted users in Papua New Guinea through a phishing campaign. The attackers delivered infostealers to users by sending emails with a Dropbox link containing a password-protected decoy PDF and an LNK file, which led to the execution of a payload known as Islandstager. This particular attack demonstrates the international reach of these state-sponsored threat actors.

Exploiting the WinRAR Flaw

The WinRAR vulnerability, identified by the cybersecurity firm Group-IB, is a logical vulnerability within the software that allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive. The flaw arises when temporary file expansion, during archive processing, is combined with a quirk in the implementation of Windows ShellExecute when attempting to open a file with an extension containing spaces.

Group-IB discovered the vulnerability in July, but APT groups were already exploiting it as a zero-day bug since April. Within hours of Group-IB publicly discussing its discovery, proof-of-concept exploits (PoCs) and exploit generators appeared on public GitHub repositories. These tools have fueled further attacks on vulnerable systems.

The Latest WinRAR Attacks

In the Sandworm attack, victims received emails that included a link to an anonymous file-sharing service. The service delivered a benign decoy PDF document along with a malicious ZIP file that exploited the WinRAR vulnerability. The payload, named Rhadamanthys, is a commodity infostealer capable of exfiltrating browser credentials and session information.

APT28, in their attack, used a free hosting provider to serve an initial page that redirected users to a mockbin site to perform browser checks. Users were then redirected again, making sure they were accessing the site through an IPv4 address in Ukraine. At this point, users were encouraged to download a file containing a exploit for the WinRAR vulnerability. Another attack by APT28 dropped a PowerShell script called IronJaw, which steals browser login data and local state directories.

APT40, the China-backed group, targeted users in Papua New Guinea through a phishing campaign. The attackers used Dropbox links to deliver a WinRAR exploit in the form of a password-protected decoy PDF. The payload, known as Islandstager, executed and decoded several layers of shellcode, with the final payload being BOXRAT, a .NET backdoor that utilized the Dropbox API as a command-and-control mechanism.

The Issue With Patching

RarLab, the company that developed WinRAR, issued a patch for the vulnerability on July 20 and released an updated version of the software (version 6.23) on August 2. However, despite the availability of these updates, many systems have not been patched, leaving them vulnerable to exploitation.

Kate Morgan from Google TAG emphasized the importance of timely patching in her blog post. She noted that attackers will continue to exploit vulnerabilities even after they have been patched, particularly due to slow patching rates. These recent attacks on WinRAR highlight the ongoing challenges surrounding patching and the need for users to keep their software up-to-date.

Conclusion: The Importance of Software Security

The exploitation of the WinRAR vulnerability by state-sponsored threat actors from Russia and China serves as a reminder of the ever-present cyber threats faced by organizations and individuals. It highlights the importance of robust security measures, including timely patching of software vulnerabilities.

As technology advances and cyber threats become more sophisticated, it is crucial for software developers to prioritize security and release regular updates to address vulnerabilities. However, it is equally important for users to be proactive in updating their software and implementing security measures to protect themselves from potential attacks.

Ultimately, the responsibility of securing software and protecting against cyber threats falls on both developers and users. By working together and prioritizing software security, we can strive to create a safer digital environment for everyone.