Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting a since-patched vulnerability in WinRAR, the popular shareware archiving tool for Windows.
The WinRAR vulnerability, first discovered by cybersecurity company Group-IB earlier this year and tracked as CVE-2023-38831, allows attackers to hide malicious scripts in archive files that masquerade as seemingly innocuous images or text documents. Group-IB said the flaw was exploited as a zero-day — since the developer had zero time to fix the bug before it was exploited — as far back as April to compromise the devices of at least 130 traders.
Rarlab, which makes the archiving tool, released an updated version of WinRAR (version 6.23) on August 2 to patch the vulnerability.
Despite this, Google’s Threat Analysis Group (TAG) said this week that its researchers have observed multiple government-backed hacking groups exploiting the security flaw, noting that “many users” who have not updated the app remain vulnerable. In research shared with TechCrunch ahead of its publication, TAG says it has observed multiple campaigns exploiting the WinRAR zero-day bug, which it has tied to state-backed hacking groups with links to Russia and China.
One of these groups includes a Russian military intelligence unit dubbed Sandworm, which is known for destructive cyberattacks, like the NotPetya ransomware attack it launched in 2017 that primarily hit computer systems in Ukraine and disrupted the country’s power grid.
TAG researchers observed Sandworm exploiting the WinRAR flaw in early September as part of a malicious email campaign that impersonated a Ukrainian drone warfare training school. The emails contained a link to a malicious archive file exploiting CVE-2023-38831, which when opened installed information-stealing malware on the victim’s machine and stole browser passwords.
Separately, TAG says it observed another notorious Russia-backed hacking group, tracked as APT28 and commonly known as Fancy Bear, using the WinRAR zero-day to target users in Ukraine under the guise of an email campaign impersonating the Razumkov Centre, a public policy think tank in the country. Fancy Bear is best known for its hack-and-leak operation against the Democratic National Committee in 2016.
Google’s findings follow an earlier discovery by threat intelligence company Cluster25, which said last week that it had also observed Russian hackers exploiting the WinRAR vulnerability as a phishing campaign designed to harvest credentials from compromised systems. Cluster25 said it assessed with “low-to-mid confidence” that Fancy Bear was behind the campaign.
Google added that its researchers found evidence that the China-backed hacking group, known as APT40, which the U.S. government has previously linked to China’s Ministry of State Security, also abused the WinRAR zero-day flaw as part of a phishing campaign targeting users based in Papua New Guinea. These emails included a Dropbox link to an archive file containing the CVE-2023-38831 exploit.
TAG researchers warn that the ongoing exploitation of the WinRAR bug “highlights that exploits for known vulnerabilities can be highly effective” as attackers use slow patching rates to their advantage.