Despite being patched in August, a vulnerability in the widely used WinRAR archiving utility is still being exploited by state-sponsored actors, as reported by Google’s Threat Analysis Group (TAG). These exploits were initiated earlier this year, even before the vulnerability became publicly known.Thank you for reading this post, don’t forget to subscribe!
Google TAG’s advisory notes that while a patch is now available, many users remain susceptible to this security flaw. They have observed government-backed actors from various countries leveraging the WinRAR Exploits vulnerability as part of their operations.
The nature of this vulnerability is described as a logical one, involving the creation of superfluous temporary files when processing manipulated archives. This, combined with an idiosyncrasy in how Windows’ ShellExecute handles files with spaces in their extensions, allows attackers to execute arbitrary code when a user tries to view an innocuous file (like a regular PNG image) within a ZIP archive.
According to Google, Group-IB has detected these exploits being used since April, with a focus on targeting financial traders. The campaigns identified by Google TAG include Russia’s Sandworm group, who posed as a Ukrainian drone training school to deliver an information-stealing payload. Additionally, Frozenlake (also known as APT28), a group associated with Russia, has launched attacks on Ukrainian infrastructure. WinRAR Exploits Another campaign by Frozenlake involved deploying a malicious PowerShell script called Ironjaw to create a reverse SSH shell controlled by the attacker. There was also an attack apparently originating from China and directed at targets in Papua New Guinea.