Several APT groups, including two highly capable and active Russian teams, are running campaigns to target a known vulnerability in the popular WinRAR archive utility and deliver a variety of commodity and custom malware and backdoors.
The attackers are going after CVE-2023-38831, a bug in many versions of the WinRAR utility that can lead to arbitrary code execution. The WinRAR team released a patch for the flaw in August, but cybercrime groups had been exploiting it since at least April, when it was still unknown to researchers. Although the update has been available for more than two months, advanced threat groups are still finding success exploiting it, showing that uptake of the patch is still lagging in some organizations.
Google’s Threat Analysis Group, which specifically tracks advanced threat actors and government-backed attack teams, has observed at least three separate APT groups exploiting this vulnerability in recent months. Two of the groups are teams associated with Russia’s Armed Forces’ Main Directorate of the General Staff (GRU), its main military intelligence unit. Those groups are the notorious Sandworm team and APT28, a group also known as Fancy Bear. The other group Google TAG has seen exploiting the WinRAR bug is China’s APT40.
WinRAR has more than 500 million users worldwide and is used widely in enterprises across various industries. The specific vulnerability these groups have been targeting is a flaw in the way that WinRAR processes some specially crafted archive files.
The two Russian groups have been targeting Ukrainian organizations with lures tied to the ongoing Russian invasion. Sandworm, which Google TAG calls Frozenbaremts, has been running a phishing campaign since early September that delivers an infostealer called Rhadamanthys.
“Rhadamanthys is a commodity infostealer that is able to collect and exfiltrate browser credentials and session information among other things. It operates on a subscription-based model and can be rented out for as low as $250 for 30 days. Usage of commercially available infostealers, that are typically employed by cybercrime actors, is atypical of FROZENBARENTS,” TAG researchers said in a new analysis of the campaigns.
APT28, which Google refers to as Frozenlakes, is taking a similar tack, sending targeted phishing emails that use a decoy PDF document to deliver malware.
“TAG observed that FROZENLAKE used a free hosting provider to serve CVE-2023-38831 to target users in Ukraine. The initial page redirected users to a mockbin site to perform browser checks and redirect to the next stage, which would ensure the visitor was coming from an IPv4 address in Ukraine and would prompt the user to download a file containing a CVE-2023-38831 exploit. The decoy document was an event invitation from Razumkov Centre, a public policy think tank in Ukraine,” the TAG analysis says.
The APT28 attacks also sometimes exploits this vulnerability to drop a PDF document that will open a reverse SSH shell to connect to an attacker-controlled machine, which then executes a small Powershell script known as Ironjaw. The malware steals browser information.
“IRONJAW was first observed being distributed by ISO files hosted on free hosting providers in late July through early August and attributed to FROZENLAKE. The additional delivery of IRONJAW via exploitation of CVE-2023-38831 and the reverse SSH tunnel were new additions to the typical FROZENLAKE toolkit,” the analysis says.
The third group seen exploiting this bug, APT40, has been targeting victims in Papua New Guinea with phishing emails that eventually drop a malware stager TAG calls Islandstager.
“ISLANDSTAGER configures persistence by adding “ImagingDevices.exe” to “CurrentVersion\Run” registry key. It then decodes several layers of shellcode, the last of which is generated using Donut, that loads and executes the final payload, BOXRAT, in-memory. BOXRAT is a .NET backdoor that uses Dropbox API as a C2 mechanism,” the analysis says.
Organizations should update to WinRAR 6.23 as soon as possible to protect against exploitation.