Russian and Chinese state-sponsored threat actors have been discovered abusing a known vulnerability in the popular archiving tool WinRAR to extract sensitive information such as passwords and other login credentials.
Google’s Threat Analysis Group (TAG), which usually tracks and analyzes state-sponsored hacking players, claims to have found evidence that the flaw, identified earlier as CVE-2023-38831 by Group-IB, was being used to hide malware in archived files.
To the average Joe, the files would look like your average image, or text document. However, when downloaded and extracted, they’d infect the device with infostealing malware, capable of grabbing different files and information from the endpoint, such as passwords and payment data stored in browsers, various system information, and more.
Sandworm, APT40, and others
To make matters worse, this isn’t just one or two groups targeting WinRAR users - apparently, it’s “multiple” groups targeting “many users” who are yet to apply the patch.
The patch does exist, however, RarLab, the company behind WinRAR, released version 6.23 in early August this year, to address the issue. However, there is no way to update the program from within. Users need to head over to the WinRAR website, download the latest version, and run the installer as if they’re installing the program from scratch.
Users will want to patch, though, as one of the groups was identified as Sandworm, a Russian military intelligence unit that allegedly interfered with the 2016 presidential elections in the United States. It was also observed as quite an active player in the Russia-Ukraine war, and was behind the infamous 2017 NotPetya ransomware attack.
Another identified player is APT40, a Chinese hacking collective allegedly tied to the Chinese Ministry of State Security. It used the flaw to target endpoints in Papua New Guinea via a Dropbox link.
The WinRar vulnerability “highlights that exploits for known vulnerabilities can be highly effective”, TAG’s researchers concluded.
More from TechRadar Pro
- Russian criminals accused of hacking this top email service
- Here's a list of the best firewalls today
- These are the best file compression software tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.